Red Hat Enterprise Linux-6-6.4 Technical Notes-En-US

Red Hat Engineering Content ServicesRed Hat Engineering Content Services

Red Hat Enterprise Linux 66.4 Technical Notes

Detailed notes on the changes implemented in Red Hat Enterprise Linux6.4Edition 4

Red Hat Enterprise Linux 6 6.4 Technical Notes

Detailed notes on the changes implemented in Red Hat Enterprise Linux6.4Edition 4

Red Hat Engineering Cont ent Services

Legal Notice

Copyright 2013 Red Hat, Inc. This document is licensed by Red Hat under the Creative Commons

Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modif ied version of it,

you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modif ied,

all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to

enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable

law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Inf inity Logo,

and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux is

the registered trademark of Linus Torvalds in the United States and other countries. Java is a registered

trademark of Oracle and/or its aff iliates. XFS is a trademark of Silicon Graphics International Corp. or its

subsidiaries in the United States and/or other countries. MySQL is a registered trademark of MySQL AB

in the United States, the European Union and other countries. Node.js is an off icial trademark of Joyent.

Red Hat Software Collections is not formally related to or endorsed by the off icial Joyent Node.js open

source or commercial project. The OpenStack Word Mark and OpenStack Logo are either registered

trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United

States and other countries and are used with the OpenStack Foundation's permission. We are not

aff iliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. All

other trademarks are the property of their respective owners.

Keywords

Abstract

The Red Hat Enterprise Linux 6.4 Technical Notes list and document the changes made to the Red Hat

Enterprise Linux 6 operating system and its accompanying applications between Red Hat Enterprise

Linux 6.3 and minor release Red Hat Enterprise Linux 6.4.

16. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25252627

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

282830303232333334

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

36363838394244474854566062

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

64646464646565656666666666676767

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6868

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table of Contents

Preface

Chapter 1. Important Changes to External Kernel Parameters

Chapter 2. Device DriversStorage DriversNetwork DriversMiscellaneous Drivers

Chapter 3. Technology Previews3.1. Storage and File Systems3.2. Networking3.3. Clustering and High Availability3.4. Authentication3.5. Security3.6. Devices3.7. Kernel3.8. Virtualization

Chapter 4 . Known Issues4.1. Installation4.2. Entitlement4.3. Deployment4.4. Virtualization4.5. Storage and File Systems4.6. Networking4.7. Clustering4.8. Authentication4.9. Devices4.10. Kernel4.11. Desktop4.12. Tools

Chapter 5. New Packages5.1. RHEA-2013:0278 — new packages: dev86 and iasl5.2. RHEA-2013:0484 — new packages: hypervkvpd5.3. RHEA-2013:0422 — new packages: libjpeg-turbo5.4. RHEA-2013:0369 — new packages: pcs5.5. RHEA-2013:0356 — new package: haproxy5.6. RHEA-2013:0355 — new package: keepalived5.7. RHEA-2013:0349 — new packages: linuxptp5.8. RHEA-2013:0342 — new packages: libitm5.9. RHEA-2013:0341 — new package: scipy5.10. RHEA-2013:0340 — new packages: suitesparse5.11. RHEA-2013:0339 — new packages: tbb5.12. RHEA-2013:0336 — new package: tuna5.13. RHEA-2013:0289 — new package: mtdev5.14. RHEA-2013:0284 — new package: cpupowerutils5.15. RHEA-2013:0283 — new package: cgdcbxd

Chapter 6. Updated Packages6.1. 389-ds-base

6.1.1. RHSA-2013:0503 — Moderate: 389-ds-base security bug fix and enhancement update

Table of Contents

1

6878

788181828282828686878789899090909091919192929293949495969696969797989898989899999999

100100101101102102102102106106

6.2. abrt, libreport and btparser6.2.1. RHBA-2013:0290 — abrt, libreport and btparser bug fix and enhancement update

6.3. alsa-utils6.3.1. RHBA-2013:0318 — alsa-utils bug fix and enhancement update

6.4. amanda6.4.1. RHBA-2013:0427 — amanda bug fix update

6.5. anaconda6.5.1. RHBA-2013:0373 — anaconda bug fix and enhancement update

6.6. authconfig6.6.1. RHBA-2013:0486 — authconfig bug fix update

6.7. autofs6.7.1. RHBA-2013:0462 — autofs bug fix and enhancement update

6.8. automake6.8.1. RHSA-2013:0526 — Low: automake security update

6.9. avahi6.9.1. RHBA-2013:0368 — avahi bug fix update

6.10. bacula6.10.1. RHBA-2012:1469 — bacula bug fix update

Bug Fixes6.11. bash

6.11.1. RHBA-2013:0306 — bash bug fix and enhancement update6.12. bfa-firmware

6.12.1. RHBA-2013:0315 — bfa-firmware bug fix and enhancement update6.13. bind-dyndb-ldap

6.13.1. RHBA-2013:0359 — bind-dyndb-ldap bug fix and enhancement update6.14. bind

6.14.1. RHSA-2013:0550 — Moderate: bind security and enhancement update6.14.2. RHBA-2013:0475 — bind bug fix update

6.15. binutils6.15.1. RHBA-2013:0498 — binutils bug fix update

6.16. biosdevname6.16.1. RHBA-2013:0434 — biosdevname bug fix and enhancement update

6.17. bridge-utils6.17.1. RHEA-2013:0322 — bridge-utils enhancement update

6.18. brltty6.18.1. RHBA-2012:1231 — brltty bug fix update

Bug Fixes6.19. btrfs-progs

6.19.1. RHBA-2013:0456 — btrfs-progs bug fix and enhancement update6.20. ccid

6.20.1. RHSA-2013:0523 — Low: ccid security and bug fix update6.21. cdrkit

6.21.1. RHBA-2012:1451 — cdrkit bug fix update6.22. certmonger

6.22.1. RHBA-2013:0320 — certmonger bug fix and enhancement update6.23. cifs-utils

6.23.1. RHBA-2013:0408 — cifs-utils bug fix and enhancement update6.24. clustermon

6.24.1. RHBA-2013:0469 — clustermon bug fix update6.25. cluster and gfs2-utils

6.25.1. RHBA-2013:0287 — cluster and gfs2-utils bug fix and enhancement update6.26. control-center

6.26.1. RHBA-2013:0335 — control-center bug fix update


2

106106107107110

110110110114114114114115115115116116116117117119119120120120120120123123124

124125125126126127127128128129129129129129130130130130131131131131131132

6.27. coolkey6.27.1. RHBA-2013:0397 — coolkey bug fix and enhancement update

6.28. Core X11 Libraries6.28.1. RHBA-2013:0294 — Core X11 libraries bug fix and enhancement update

6.29. Core X11 clients6.29.1. RHSA-2013:0502 — Low: Core X11 clients security, bug fix, and enhancement update

6.30. corosync6.30.1. RHBA-2013:0497 — corosync bug fix update

6.31. cpuspeed6.31.1. RHBA-2013:0490 — cpuspeed bug fix update6.31.2. RHBA-2012:1404 — cpuspeed bug fix update

Bug Fixes6.32. crash

6.32.1. RHBA-2013:0317 — crash bug fix and enhancement update6.33. createrepo

6.33.1. RHBA-2013:0328 — createrepo bug fix and enhancement update6.34. ctdb

6.34.1. RHBA-2013:0337 — ctdb bug fix update6.35. curl

6.35.1. RHBA-2013:0393 — curl bug fix update6.36. cvs

6.36.1. RHBA-2012:1302 — cvs bug fix update6.37. dash

6.37.1. RHBA-2012:1381 — dash bug fix updateBug Fix

6.38. device-mapper-multipath6.38.1. RHBA-2013:0458 — device-mapper-multipath

6.39. dhcp6.39.1. RHSA-2013:0504 — Low: dhcp security and bug fix update

6.40. dnsmasq6.40.1. RHSA-2013:0277 — Moderate: dnsmasq security, bug fix and enhancement update

6.41. docbook-utils6.41.1. RHBA-2012:1321 — docbook-utils bug fix update

6.42. dovecot6.42.1. RHSA-2013:0520 — Low: dovecot security and bug fix update

6.43. dracut6.43.1. RHBA-2013:0436 — dracut bug fix and enhancement update

6.44. dropwatch6.44.1. RHBA-2012:1182 — dropwatch bug fix update

Bug Fix6.45. dvd+rw-tools

6.45.1. RHBA-2012:1320 — dvd+rw-tools bug fix update6.46. e2fsprogs

6.46.1. RHBA-2013:0455 — e2fsprogs bug fix update6.47. eclipse-nls

6.47.1. RHBA-2013:0357 — eclipse-nls bug fix and enhancement update6.48. environment-modules

6.48.1. RHBA-2013:0316 — environment-modules bug fix update6.49. espeak

6.49.1. RHBA-2012:1118 — espeak bug fix updateBug Fix

6.50. ethtool6.50.1. RHBA-2013:0366 — ethtool bug fix and enhancement update

6.51. evolution-data-server

Table of Contents

3

132132132132133133134134135135136136136137137138138138139139140140140140140140140141141141141141143143144144145145145145145145146149149149149149150150151

151153153153

6.51. evolution-data-server6.51.1. RHBA-2013:0410 — evolution-data-server bug fix update

6.52. evolution6.52.1. RHSA-2013:0516 — Low: evolution security and bug fix update

6.53. fcoe-target-utils6.53.1. RHBA-2013:0457 — fcoe-target-utils bug fix and enhancement update

6.54. fcoe-utils6.54.1. RHBA-2013:0412 — fcoe-utils bug fix and enhancement update

6.55. febootstrap6.55.1. RHBA-2013:0432 — febootstrap bug fix update

6.56. fence-agents6.56.1. RHBA-2013:0540 — fence-agents bug fix update6.56.2. RHBA-2013:0286 — fence-agents bug fix and enhancement update

6.57. fence-virt6.57.1. RHBA-2013:0419 — fence-virt bug fix and enhancement update

6.58. file6.58.1. RHBA-2012:1339 — file bug fix update

Bug Fixes6.59. firstboot

6.59.1. RHEA-2013:0488 — firstboot enhancement update6.60. ftp

6.60.1. RHBA-2012:1192 — ftp bug fix updateBug Fix

6.60.2. RHBA-2012:1444 — ftp bug fix updateBug Fixes

6.60.3. RHBA-2012:1354 — ftp bug fix updateBug Fixes

6.61. gawk6.61.1. RHBA-2012:1146 — gawk bug fix update

Bug Fix6.62. gcc

6.62.1. RHBA-2013:0420 — gcc bug fix update6.63. gdb

6.63.1. RHSA-2013:0522 — Moderate: gdb security and bug fix update6.64. gdm

6.64.1. RHBA-2013:0381 — gdm bug fix and enhancement update6.65. gd

6.65.1. RHBA-2012:1274 — gd bug fix update6.66. geronimo-specs

6.66.1. RHBA-2012:1397 — geronimo-specs bug fix updateBug Fix

6.67. glibc6.67.1. RHBA-2013:0279 — glibc bug fix update

6.68. gnome-desktop6.68.1. RHBA-2012:1352 — gnome-desktop bug fix update

Bug Fix6.69. gnome-packagekit

6.69.1. RHBA-2013:0280 — gnome-packagekit bug fix update6.70. gnome-screensaver

6.70.1. RHBA-2013:0390 — gnome-screensaver bug fix update6.71. gnome-settings-daemon

6.71.1. RHBA-2013:0312 — gnome-settings-daemon bug fix and enhancement update

6.72. gnome-terminal6.72.1. RHBA-2012:1311 — gnome-terminal bug fix update

Bug Fix


4

153153154154154155155156156156156156157157157158158158158159159159160163163164164165165165165166166169169169169169177177178178178178179179180180180181181182182182182

6.73. gnutls6.73.1. RHBA-2013:0425 — gnutls bug fix update

6.74. graphviz6.74.1. RHBA-2012:1291 — graphviz bug fix update

Bug Fixes6.75. grub

6.75.1. RHBA-2013:0428 — grub bug fix and enhancement update6.76. gstreamer-plugins-base

6.76.1. RHEA-2012:1473 — gstreamer-plugins-base enhancement updateEnhancement

6.77. gtk26.77.1. RHBA-2013:0493 — gtk2 bug fix update

6.78. gvfs6.78.1. RHBA-2012:1124 — gvfs bug fix and enhancement update

Bug Fixes6.79. hivex

6.79.1. RHBA-2013:0433 — hivex bug fix update6.80. hplip

6.80.1. RHSA-2013:0500 — Low: hplip security, bug fix and enhancement update6.81. hsqldb

6.81.1. RHBA-2013:0334 — hsqldb bug fix update6.82. httpd

6.82.1. RHSA-2013:0512 — Low: httpd security, bug fix and enhancement update6.83. hwdata

6.83.1. RHEA-2013:0376 — hwdata enhancement update6.84. hwloc

6.84.1. RHBA-2013:0331 — hwloc bug fix and enhancement update6.85. icedtea-web

6.85.1. RHBA-2013:0491 — icedtea-web bug fix update6.86. infinipath-psm

6.86.1. RHBA-2013:0536 — infinipath-psm bug fix update6.87. initscripts

6.87.1. RHBA-2013:0518 — initscript bug fix and enhancement update6.88. iok

6.88.1. RHBA-2012:1164 — iok bug fix updateBug Fixes

6.89. ipa6.89.1. RHSA-2013:0528 — Low: ipa security, bug fix and enhancement update

6.90. iproute6.90.1. RHBA-2013:0417 — iproute bug fix and enhancement update

6.91. iprutils6.91.1. RHBA-2013:0378 — iprutils bug fix and enhancement update

6.92. iptables6.92.1. RHBA-2013:0332 — iptables bug fix and enhancement update

6.93. irqbalance6.93.1. RHBA-2013:0367 — irqbalance bug fix and enhancement update

6.94. irssi6.94.1. RHBA-2012:1171 — irssi bug fix update

Bug Fix6.95. iscsi-initiator-utils

6.95.1. RHBA-2013:0438 — iscsi-initiator-utils bug fix and enhancement update6.96. jss

6.96.1. RHBA-2013:0424 — jss bug fix and enhancement update6.97. kabi-whitelists

6.97.1. RHEA-2013:0485 — kabi-whitelists enhancement update

Table of Contents

5

184184184184185185185185185185185186187187187187187191

209

196200206

227227231231232232233233234234234234235235235235236236236238238238238239239239239240240240240241

6.98. kdebase6.98.1. RHBA-2012:1371 — kdebase bug fix update

6.99. kdebase-workspace6.99.1. RHBA-2012:1286 — kdebase-workspace bug fix update

Bug Fix6.100. kdelibs3

6.100.1. RHBA-2012:1244 — kdelibs3 bug fix updateBug Fixes

6.101. kdelibs6.101.1. RHBA-2012:1251 — kdelibs bug fix update

Bug Fixes6.101.2. RHSA-2012:1418 — Critical: kdelibs security update

6.102. kdepim6.102.1. RHBA-2012:1287 — kdepim bug fix update

Bug Fix6.103. kernel

6.103.1. RHSA-2013:1173 — Important: kernel security and bug fix update6.103.2. RHSA-2013:1051 — Moderate: kernel security and bug fix update6.103.3. RHSA-2013:0911 — Important: kernel security, bug fix and enhancement update6.103.4. RHSA-2013:0744 — Important: kernel security and bug fix update6.103.5. RHSA-2013:0630 — Important: kernel security and bug fix update6.103.6. RHSA-2013:0496 — Important: Red Hat Enterprise Linux 6 kernel security,bug fix, and enhancement update

6.104. kexec-tools6.104.1. RHBA-2013:0281 — kexec-tools bug fix and enhancement update

6.105. krb56.105.1. RHBA-2013:0319 — krb5 bug fix update

6.106. ksh6.106.1. RHBA-2013:0430 — ksh bug fix and enhancement update

6.107. ledmon6.107.1. RHBA-2013:0479 — ledmon bug fix and enhancement update

6.108. libburn6.108.1. RHBA-2012:1273 — libburn bug fix update

6.109. libcgroup6.109.1. RHBA-2013:0452 — libcgroup bug fix and enhancement update

6.110. libdbi6.110.1. RHBA-2013:0326 — libdbi bug fix update

6.111. libdvdread6.111.1. RHBA-2012:1247 — libdvdread bug fix update

Bug Fix6.112. libguestfs

6.112.1. RHBA-2013:0324 — libguestfs bug fix and enhancement update6.113. libhbaapi

6.113.1. RHEA-2013:0416 — libhbaapi enhancement update6.114. libhbalinux

6.114.1. RHBA-2013:0415 — libhbalinux bug fix and enhancement update6.115. libical

6.115.1. RHBA-2013:0471 — libical bug fix update6.116. libica

6.116.1. RHEA-2013:0399 — libica enhancement update6.117. libldb

6.117.1. RHBA-2013:0372 — libldb bug fix and enhancement update6.118. libqb

6.118.1. RHBA-2013:0323 — libqb bug fix and enhancement update6.119. libsemanage


6

241241241242242243243244244244244244244245245245246246246248259259260260261261261262262262262262262262262265265276276276277277278278280280281281281281282282283283284

6.119.1. RHBA-2013:0465 — libsemanage bug fix update6.120. libsoup

6.120.1. RHBA-2013:0313 — libsoup bug fix update6.121. libssh2

6.121.1. RHBA-2013:0329 — libssh2 bug fix and enhancement update6.122. libtalloc

6.122.1. RHBA-2013:0352 — libtalloc bug fix update6.123. libtdb

6.123.1. RHBA-2013:0353 — libtdb bug fix and enhancement update6.124. libtevent

6.124.1. RHBA-2013:0354 — libtevent bug fix and enhancement update6.125. libusb1

6.125.1. RHBA-2013:0310 — libusb1 bug fix update6.126. libvirt-cim

6.126.1. RHBA-2013:0449 — libvirt-cim bug fix update6.127. libvirt-java

6.127.1. RHBA-2013:0325 — libvirt-java bug fix and enhancement update6.128. libvirt

6.128.1. RHBA-2013:0664 — libvirt bug fix and enhancement update6.128.2. RHSA-2013:0276 — Moderate: libvirt bug fix, and enhancement update

6.129. libwacom6.129.1. RHEA-2013:0333 — libwacom enhancement update

6.130. lldpad6.130.1. RHBA-2013:0414 — lldpad bug fix and enhancement update

6.131. lm_sensors6.131.1. RHBA-2012:1309 — lm_sensors bug fixes

Bug Fixes6.132. logrotate

6.132.1. RHBA-2012:1172 — logrotate bug fix updateBug Fix

6.133. lohit-telugu-fonts6.133.1. RHBA-2012:1212 — lohit-telugu-fonts bug fix update

Bug Fix6.134. luci

6.134.1. RHBA-2013:0309 — luci bug fix and enhancement update6.135. lvm2

6.135.1. RHBA-2013:0501 — lvm2 bug fix and enhancement update6.136. mailman

6.136.1. RHBA-2012:1474 — mailman bug fix updateBug Fixes

6.137. man-pages-overrides6.137.1. RHBA-2013:0464 — man-pages-overrides bug fix update

6.138. man-pages6.138.1. RHBA-2013:0447 — man-pages bug fix and enhancement update

6.139. man6.139.1. RHBA-2013:0392 — man bug fix update

6.140. matahari6.140.1. RHBA-2013:0404 — removed packages: matahari

6.141. mcelog6.141.1. RHBA-2013:0285 — mcelog bug fix and enhancement update

6.142. mdadm6.142.1. RHBA-2013:0440 — mdadm bug fix update

6.143. mesa6.143.1. RHBA-2013:0344 — mesa bug fix and enhancement update

6.144. microcode_ctl

Table of Contents

7

284285285285285285285286286286286287287287287287287288288288288288288289289289289292292293293294294294294295295296296296296297297297

298298298299299301301302

302303

6.144.1. RHBA-2013:0348 — microcode_ctl bug fix and enhancement update6.145. mlocate

6.145.1. RHBA-2012:1355 — mlocate bug fix updateBug Fixes

6.146. mod_authz_ldap6.146.1. RHBA-2012:1389 — mod_authz_ldap bug fix update

Bug Fixes6.147. mod_nss

6.147.1. RHBA-2013:0513 — mod_nss bug fix and enhancement update6.148. mod_revocator

6.148.1. RHBA-2013:0411 — mod_revocator bug fix update6.149. module-init-tools

6.149.1. RHBA-2013:0442 — module-init-tools bug fix update6.150. mod_wsgi

6.150.1. RHBA-2012:1358 — mod_wsgi bug fix and enhancement updateBug FixEnhancement

6.151. mrtg6.151.1. RHBA-2012:1449 — mrtg bug fix update

Bug Fix6.152. mt-st

6.152.1. RHBA-2012:1409 — mt-st bug fix updateBug Fix

6.153. netcf6.153.1. RHBA-2013:0494 — netcf bug fix update

6.154. net-snmp6.154.1. RHBA-2013:0421 — net-snmp bug fix update

6.155. NetworkManager6.155.1. RHBA-2013:0429 — NetworkManager bug fix and enhancement update

6.156. nfs-utils-lib6.156.1. RHBA-2013:0467 — nfs-utils-lib bug fix update

6.157. nfs-utils6.157.1. RHBA-2013:0468 — nfs-utils bug fix update

6.158. nss-pam-ldapd6.158.1. RHBA-2013:0413 — nss-pam-ldapd bug fix update

6.159. nss, nss-util, nspr6.159.1. RHBA-2013:0445 — nss, nss-util, nspr bug fix and enhancement update

6.160. ntp6.160.1. RHBA-2013:0495 — ntp bug fix update

6.161. numactl6.161.1. RHBA-2013:0401 — numactl bug fix and enhancement update

6.162. numad6.162.1. RHBA-2013:0358 — numad bug fix and enhancement update

6.163. openchange6.163.1. RHSA-2013:0515 — Moderate: openchange security, bug fix and enhancement update

6.164. OpenIPMI6.164.1. RHBA-2013:0492 — OpenIPMI bug fix update

6.165. openldap6.165.1. RHBA-2013:0364 — openldap bug fix and enhancement update

6.166. openscap6.166.1. RHBA-2013:0362 — openscap bug fix and enhancement update

6.167. openssh6.167.1. RHSA-2013:0519 — Moderate: openssh security, bug fix and enhancement update

6.168. openssl


8

303304304304306306306

306308308309309309309309310310311311311311311312312312312312312312313314314314314317317317

317318318319319319319319320320321321322322322323323

6.168. openssl6.168.1. RHBA-2013:0443 — openssl bug fix update

6.169. pacemaker6.169.1. RHBA-2013:0375 — pacemaker bug fix and enhancement update

6.170. PackageKit6.170.1. RHBA-2013:0394 — PackageKit bug fix update

6.171. pam6.171.1. RHSA-2013:0521 — Moderate: pam security, bug fix and enhancement update

6.172. parted6.172.1. RHBA-2013:0407 — parted bug fix and enhancement update

6.173. pciutils6.173.1. RHBA-2013:0380 — pciutils bug fix and enhancement update

6.174. pcre6.174.1. RHBA-2012:1240 — pcre bug fix release

Bug Fixes6.175. pcsc-lite

6.175.1. RHSA-2013:0525 — Moderate: pcsc-lite security and bug fix update6.176. perl-GSSAPI

6.176.1. RHBA-2012:1340 — perl-GSSAPI bug fix update6.177. perl-IPC-Run3

6.177.1. RHBA-2012:1440 — perl-IPC-Run3 bug fix updateBug Fix

6.178. perl-IPC-Run6.178.1. RHBA-2012:1336 — perl-IPC-Run bug fix update

Bug Fix6.179. perl-SOAP-Lite

6.179.1. RHBA-2012:1388 — perl-SOAP-Lite bug fix updateBug Fix

6.180. perl-Sys-Virt6.180.1. RHBA-2013:0377 — perl-Sys-Virt bug fix and enhancement update

6.181. perl6.181.1. RHBA-2013:0444 — perl bug fix update

6.182. php6.182.1. RHSA-2013:0514 — php bug fix and enhancement update

6.183. piranha6.183.1. RHBA-2013:0351 — piranha bug fix and enhancement update

6.184. pki-core6.184.1. RHSA-2013:0511 — Moderate: pki-core security, bug fix and enhancement update

6.185. plymouth6.185.1. RHBA-2013:0321 — plymouth bug fix and enhancement update

6.186. pm-utils6.186.1. RHBA-2012:1094 — pm-utils bug fix update

Bug Fix6.187. policycoreutils

6.187.1. RHBA-2013:0396 — policycoreutils bug fix and enhancement update6.188. powerpc-utils

6.188.1. RHBA-2013:0384 — powerpc-utils bug fix and enhancement update6.189. ppc64-diag

6.189.1. RHBA-2013:0382 — ppc64-diag bug fix and enhancement update6.190. procps

6.190.1. RHBA-2012:1463 — procps bug fix updateBug Fixes

6.191. pykickstart6.191.1. RHBA-2013:0507 — pykickstart bug fix and enhancement update

Table of Contents

9

324324324324324325325326326326326327327327327328328329329329329330334334334334334334335335335335336336336337337338338339

339339339340340341341343343344344346346347

6.192. PyQt46.192.1. RHBA-2012:1241 — PyQt4 bug fix update

Bug Fixes6.193. python-ethtool

6.193.1. RHBA-2013:0454 — python-ethtool bug fix and enhancement update6.194. python-nss

6.194.1. RHBA-2013:0405 — python-nss bug fix and enhancement update6.195. python-paste

6.195.1. RHBA-2013:0472 — python-paste bug fix update6.196. python-psycopg2

6.196.1. RHBA-2013:0327 — python-psycopg2 bug fix and enhancement update6.197. python-rhsm

6.197.1. RHBA-2013:0371 — python-rhsm bug fix and enhancement update6.198. python-rtslib

6.198.1. RHBA-2013:0466 — python-rtslib bug fix update6.199. python

6.199.1. RHBA-2013:0437 — python bug fix update6.200. python-virtinst

6.200.1. RHBA-2013:0463 — python-virtinst bug fix and enhancement update6.201. qemu-kvm

6.201.1. RHBA-2013:0539 — qemu-kvm bug fix update6.201.2. RHBA-2013:0527 — qemu-kvm bug fix and enhancement update

6.202. ql2400-firmware6.202.1. RHBA-2013:0402 — ql2400-firmware bug fix and enhancement update

6.203. ql2500-firmware6.203.1. RHBA-2013:0403 — ql2500-firmware bug fix and enhancement update

6.204. qt6.204.1. RHBA-2012:1246 — qt bug fix update

Bug Fixes6.205. quota

6.205.1. RHBA-2012:1472 — quota bug fix updateBug Fixes

6.206. rdesktop6.206.1. RHBA-2012:1276 — rdesktop bug fix update

Bug Fixes6.207. rdma

6.207.1. RHSA-2013:0509 — Low: rdma security, bug fix and enhancement update6.208. redhat-lsb

6.208.1. RHBA-2013:0448 — redhat-lsb bug fix and enhancement update6.209. redhat-release

6.209.1. RHEA-2013:0379 — redhat-release enhancement update for Red Hat Enterprise Linux6.4

6.210. redhat-rpm-config6.210.1. RHBA-2013:0460 — redhat-rpm-config bug fix and enhancement update

6.211. Red Hat Enterprise Linux Release Notes6.211.1. RHEA-2013:0439 — Red Hat Enterprise Linux 6.4 Release Notes

6.212. resource-agents6.212.1. RHBA-2013:0288 — resource-agents bug fix and enhancement update

6.213. rgmanager6.213.1. RHBA-2013:0409 — rgmanager bug fix update

6.214. rhn-client-tools6.214.1. RHBA-2013:0388 — rhn-client-tools bug fix and enhancement update

6.215. ricci6.215.1. RHBA-2013:0453 — ricci bug fix and enhancement update

6.216. rpcbind


10

347348348348348348350350351351352

352353354355355356356357357357371371371371372372372372373373373373373373376376380380380380382382382382383383385385392392393

393394

6.216.1. RHBA-2013:0291 — rpcbind bug fix and enhancement update6.217. rpmdevtools

6.217.1. RHBA-2012:1313 — rpmdevtools bug fix updateBug Fix

6.218. rpm6.218.1. RHBA-2013:0461 — rpm bug fix and enhancement update

6.219. rsyslog6.219.1. RHBA-2013:0450 — rsyslog bug fix update

6.220. s390utils6.220.1. RHBA-2013:0395 — s390utils bug fix and enhancement update

6.221. samba46.221.1. RHSA-2013:0506 — Moderate: samba4 security, bug fix and enhancement update

6.222. samba6.222.1. RHBA-2013:0338 — samba bug fix and enhancement update

6.223. scl-utils6.223.1. RHBA-2013:0400 — scl-utils bug fix and enhancement update

6.224. seabios6.224.1. RHBA-2013:0307 — seabios bug fix and enhancement update

6.225. selinux-policy6.225.1. RHBA-2013:0537 — selinux-policy bug fix update6.225.2. RHBA-2013:0314 — selinux-policy bug fix and enhancement update

6.226. setroubleshoot6.226.1. RHBA-2013:0387 — setroubleshoot bug fix update

6.227. setup6.227.1. RHBA-2012:1367 — setup bug fix update

Bug Fixes6.228. slapi-nis

6.228.1. RHBA-2013:0370 — slapi-nis bug fix update6.229. slf4j

6.229.1. RHBA-2012:1239 — slf4j bug fix updateBug Fix

6.230. smartmontools6.230.1. RHBA-2013:0365 — smartmontools bug fix and enhancement update

6.231. sos6.231.1. RHBA-2013:0474 — sos bug fix and enhancement update

6.232. spice-gtk6.232.1. RHBA-2013:0343 — spice-gtk bug fix and enhancement update

6.233. spice-protocol6.233.1. RHBA-2013:0510 — spice-protocol bug fix and enhancement update

6.234. spice-server6.234.1. RHBA-2013:0529 — spice-server bug fix and enhancement update

6.235. spice-vdagent6.235.1. RHEA-2013:0311 — spice-vdagent enhancement update

6.236. spice-xpi6.236.1. RHBA-2013:0459 — spice-xpi bug fix update

6.237. squid6.237.1. RHSA-2013:0505 — Moderate: squid security and bug fix update

6.238. sssd6.238.1. RHSA-2013:0508 — Low: sssd security, bug fix and enhancement update

6.239. strace6.239.1. RHBA-2013:0282 — strace bug fix and enhancement update

6.240. subscription-manager-migration-data6.240.1. RHBA-2013:0360 — subscription-manager-migration-data bug fix and enhancementupdate

6.241. subscription-manager

Table of Contents

11

394

394395395398398398399399399

399400400400400400401401401401401402402403403403404404404404405405406406407407407407408408409410410411411412

412414414415415415415

6.241. subscription-manager6.241.1. RHBA-2013:0350 — subscription-manager bug fix and enhancement update

6.242. sudo6.242.1. RHBA-2013:0363 — sudo bug fix and enhancement update

6.243. sysfsutils6.243.1. RHBA-2012:1453 — sysfsutils bug fix update

Bug Fix6.244. syslinux

6.244.1. RHBA-2013:0473 — syslinux bug fix update6.245. system-config-kdump

6.245.1. RHBA-2013:0292 — system-config-kdump bug fix and enhancement update

6.246. system-config-kickstart6.246.1. RHEA-2013:0470 — system-config-kickstart enhancement update

6.247. system-config-language6.247.1. RHBA-2012:1213 — system-config-language bug fix update

Bug Fix6.248. system-config-lvm

6.248.1. RHBA-2013:0385 — system-config-lvm bug fix update6.249. system-config-users

6.249.1. RHBA-2012:1387 — system-config-users bug fix updateBug Fixes

6.250. systemtap6.250.1. RHBA-2013:0345 — systemtap bug fix and enhancement update

6.251. tar6.251.1. RHBA-2012:1372 — tar bug fix update6.251.2. RHBA-2013:0489 — tar bug fix update

6.252. tboot6.252.1. RHBA-2013:0524 — tboot bug fix update

6.253. tcsh6.253.1. RHBA-2013:0446 — tcsh bug fix update

6.254. tigervnc6.254.1. RHBA-2013:0478 — tigervnc bug fix and enhancement update

6.255. tog-pegasus6.255.1. RHBA-2013:0418 — tog-pegasus bug fix and enhancement update

6.256. tomcat66.256.1. RHBA-2013:0480 — tomcat6 bug fix update

6.257. trace-cmd6.257.1. RHBA-2013:0423 — trace-cmd bug fix and enhancement update

6.258. tuned6.258.1. RHBA-2013:0538 — tuned bug fix update6.258.2. RHBA-2013:0386 — tuned bug fix update

6.259. udev6.259.1. RHBA-2013:0435 — udev bug fix and enhancement update

6.260. usbredir6.260.1. RHBA-2013:0346 — usbredir bug fix and enhancement update

6.261. util-linux-ng6.261.1. RHSA-2013:0517 — Low: util-linux-ng security, bug fix and enhancement update

6.262. valgrind6.262.1. RHBA-2013:0347 — valgrind bug fix and enhancement update

6.263. vgabios6.263.1. RHBA-2013:0487 — vgabios bug fix update

6.264. virtio-win6.264.1. RHBA-2013:0441 — virtio-win bug fix and enhancement update


12

417417418418419419420420422422423423424424425425425425425426426426426427427428428429429429429430430430430430

430431431431

431432

432432432433433435435436436437437

6.265. virt-manager6.265.1. RHBA-2013:0451 — virt-manager bug fix and enhancement update

6.266. virt-top6.266.1. RHBA-2013:0391 — virt-top bug fix and enhancement update

6.267. virt-v2v6.267.1. RHBA-2013:0477 — virt-v2v bug fix and enhancement update

6.268. virt-viewer6.268.1. RHBA-2013:0361 — virt-viewer bug fix and enhancement update

6.269. virt-what6.269.1. RHEA-2013:0483 — virt-what enhancement update

6.270. virt-who6.270.1. RHBA-2013:0374 — virt-who bug fix and enhancement update

6.271. wdaemon6.271.1. RHBA-2013:0293 — wdaemon bug fix and enhancement update

6.272. wget6.272.1. RHBA-2012:1353 — wget bug fix update

Bug Fixes6.273. wpa_supplicant

6.273.1. RHBA-2013:0431 — wpa_supplicant bug fix and enhancement update6.274. x3270

6.274.1. RHBA-2013:0383 — x3270 bug fix update6.275. xfsdump

6.275.1. RHBA-2013:0482 — xfsdump bug fix update6.276. xfsprogs

6.276.1. RHBA-2013:0481 — xfsprogs bug fix and enhancement update6.277. xinetd

6.277.1. RHSA-2013:0499 — Low: xinetd security and bug fix update6.278. X.Org Legacy Input Drivers

6.278.1. RHEA-2013:0295 — X.Org X11 legacy input drivers enhancement update6.279. xorg-x11-drv-ati

6.279.1. RHBA-2013:0302 — xorg-x11-drv-ati bug fix and enhancement update6.280. xorg-x11-drv-evdev

6.280.1. RHBA-2013:0297 — xorg-x11-drv-evdev bug fix and enhancement update6.281. xorg-x11-drv-intel

6.281.1. RHBA-2013:0303 — xorg-x11-drv-intel bug fix and enhancement update6.282. xorg-x11-drv-nouveau

6.282.1. RHBA-2013:0304 — xorg-x11-drv-nouveau bug fix and enhancement update

6.283. xorg-x11-drv-qxl6.283.1. RHBA-2013:0308 — xorg-x11-drv-qxl bug fix and enhancement update

6.284. xorg-x11-drv-synaptics6.284.1. RHBA-2013:0298 — xorg-x11-drv-synaptics bug fix and enhancement update

6.285. xorg-x11-drv-vmmouse6.285.1. RHBA-2013:0300 — xorg-x11-drv-vmmouse bug fix and enhancement update

6.286. xorg-x11-drv-wacom6.286.1. RHBA-2013:0296 — xorg-x11-drv-wacom bug fix and enhancement update

6.287. xorg-x11-server6.287.1. RHBA-2013:0299 — xorg-x11-server bug fix and enhancement update

6.288. xorg-x116.288.1. RHEA-2013:0301 — xorg-x11 drivers enhancement update

6.289. xorg-x11-xkb-utils6.289.1. RHBA-2013:0305 — xorg-x11-xkb-utils bug fix and enhancement update

6.290. yaboot6.290.1. RHBA-2013:0476 — yaboot bug fix and enhancement update

Table of Contents

13

437437438438438438439439442442

4 4 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.291. ypbind6.291.1. RHBA-2013:0426 — ypbind bug fix update

6.292. ypserv6.292.1. RHBA-2013:0330 — ypserv bug fix update

6.293. yum-rhn-plugin6.293.1. RHBA-2013:0389 — yum-rhn-plugin bug fix update

6.294. yum6.294.1. RHBA-2013:0406 — yum bug fix and enhancement update

6.295. zlib6.295.1. RHBA-2013:0398 — zlib bug fix and enhancement update

Revision History


14

Table of Contents

15

PrefaceThe Red Hat Enterprise Linux 6.4 Technical Notes list and document the changes made to the Red HatEnterprise Linux 6 operating system and its accompanying applications between minor release Red HatEnterprise Linux 6.3 and minor release Red Hat Enterprise Linux 6.4.

For system administrators and others planning Red Hat Enterprise Linux 6.4 upgrades anddeployments, the Technical Notes provide a single, organized record of the bugs fixed in, featuresadded to, and Technology Previews included with this new release of Red Hat Enterprise Linux.

For auditors and compliance officers, the Red Hat Enterprise Linux 6.4 Technical Notes provide a single,organized source for change tracking and compliance testing.

For every user, the Red Hat Enterprise Linux 6.4 Technical Notes provide details of what has changed inthis new release.

Note

The Package Manifest is available as a separate document.


16

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Package_Manifest/index.html

Chapter 1. Important Changes to External Kernel ParametersThis chapter provides system administrators with a summary of significant changes in the kernelshipped with Red Hat Enterprise Linux 6.4. These changes include added or updated procfs entries, sysfs default values, boot parameters, kernel configuration options, or any noticeable behaviorchanges.

intel_idle.max_cstate

A new kernel parameter, intel_idle.max_cstate, has been added to specify the maximumdepth of a C-state, or to disable intel_idle and fall back to acpi_idle. For moreinformation, refer to the /usr/share/doc/kernel-doc-<version>/Documentation/kernel-parameters.txt file.

nobar

The new nobar kernel parameter, specific to the AMD64 / Intel 64 architecture, can be used tonot assign address space to the Base Address Registers (BARs) that were not assigned bythe BIOS.

noari

The new noari kernel parameter can disable the use of PCIe Alternative Routing IDInterpretation (ARI).

MD state fileThe state file of an MD array component device (found in the /sys/block/md<md_number>/md/dev-<device_name> directory) can now contain additionaldevice states. For more information, refer to the /usr/share/doc/kernel-doc-<version>/Documentation/md.txt file.

route_localnet

The route_localnet kernel parameter can be used to enable the use of 127/8 for localrouting purposes. For more information, refer to the /usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt file.

pf_retrans

The pf_retrans kernel parameter specifies the number of re-transmissions that will beattempted on a given path before traffic is redirected to an alternate transport (should oneexist). For more information, refer to the /usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt file.

traceevent

The new traceevent library, used by perf, uses the following sysfs control files:

/sys/kernel/debug/tracing/events/header_page/sys/kernel/debug/tracing/events/.../.../format/sys/bus/event_source/devices/<dev>/format/sys/bus/event_source/devices/<dev>/events/sys/bus/event_source/devices/<dev>/type


17

/sys/kernel/fadump_*

On 64-bit IBM POWER machines, the following control files have been added to be used by thefirmware-assisted dump feature:

/sys/kernel/fadump_enabled/sys/kernel/fadump_registered/sys/kernel/fadump_release_mem

For more information about these files, refer to /usr/share/doc/kernel-doc-<version>/Documentation/powerpc/firmware-assisted-dump.txt.

Transparent HugepagesThe /sys/kernel/mm/transparent_hugepage symbolic link, which points to /sys/kernel/mm/redhat_transparent_hugepage, has been added for consistencypurposes.

Documentation for transparent hugepages has been added to the following file:

/usr/share/doc/kernel-doc-<version>/Documentation/vm/transhuge.txt

vmbus_show_device_attrThe vmbus_show_device_attr attribute of the Hyper-V vmbus driver shows the deviceattribute in sysfs. This is invoked when the /sys/bus/vmbus/devices/<busdevice>/<attr_name> file is read.

BNA debugfs InterfaceThe BNA debugfs interface can be accessed through the bna/pci_dev:<pci_name>hierarchy (note that the debugfs file system must be mounted). The following debuggingservices are available for each pci_dev>:

fwtrc — used to collect current firmware trace.

fwsave — used to collect last-saved firmware trace as a result of firmware crash.

regwr — used to write one word to the chip register.

regrd — used to read one or more words from the chip register.

iwlegacy debug_levelThe iwlegacy driver includes a new sysfs control file, /sys/bus/pci/drivers/iwl/debug_level, to control per-device level of debugging. The CONFIG_IWLEGACY_DEBUG option enables this feature.

iwlwifi debug_levelThe iwlwifi driver includes a new sysfs control file, /sys/class/net/wlan0/device/debug_level, to control per-device level of debugging. The CONFIG_IWLWIFI_DEBUG option enables this feature.

ie6xx_wdt


18

If debugfs is mounted, the new /sys/kernel/debug/ie6xx_wdt file contains a value thatdetermines whether the system was rebooted by watchdog.

supported_krb5_enctypes

The new /proc/fs/nfsd/supported_krb5_enctypes proc file lists the encryption typessupported by the kernel's gss_krb5 code.

usbmixer

The /proc/asound/card<card_number>/usbmixer proc file has been added. It contains amapping between the ALSA control API and the USB mixer control units. This file can be useddebugging and problem diagnostics.

codec#<number>

The /proc/asound/card<card_number>/codec#<number> proc files now containinformation about the D3cold power state, the deepest power-saving state for a PCIe device.The codec#<number> files now also contain additional power state information, specifically: reset status, clock stop ok, and power states error. The following is an exampleoutput:

Power: setting=D0, actual=D0, Error, Clock-stop-OK, Setting-reset

cgroup.procs

The cgroup.procs file is now writable. Writing a TGID into the cgroup.procs file of a cgroupmoves that thread group into that cgroup.

sysfs_dirent

The last sysfs_dirent, which represents a single sysfs node, is now cached to improvescalability of the readdir function.

iov

The iov sysfs directory was added under the ib device. This directory is used to manage andexamine the port P_Key and guid paravirtualization.

FDMI attributesFabric Device Management Interface (FDMI) attributes can now be exposed to the fcoe drivervia the fc_host class object.

ltm_capable

The /sys/bus/usb/devices/<device>/ltm_capable file has been added to showwhether a device supports Latency Tolerance Messaging (LTM). This file is present for bothUSB 2.0 and USB 3.0 devices.

fwdump_state

The /sys/class/net/eth<number>/device/fwdump_state file has been added todetermine whether the firmware dump feature is enabled or disabled.


19

flags, registersThe Commands in Q item was added to the /sys/block/rssd<number>/registers file.This file's output was also re-formatted. Also, a new /sys/block/rssd<number>/flags filehas been added. This read-only file dumps the flags in a port and driver data structure.

duplex

The /sys/class/net/eth<number>/duplex file now reports unknown when the NIC duplexstate is DUPLEX_UNKNOWN.

Mountpoint InterfaceA sysfs mountpoint interface was added to the perf tool.

TCP_USER_TIMEOUT

TCP_USER_TIMEOUT is a TCP level socket option that specifies the maximum amount of time(in milliseconds) that transmitted data may remain unacknowledged before TCP will forcefullyclose the corresponding connection and return ETIMEDOUT to the application. If the value 0 isspecified, TCP will continue to use the system default.

IPPROTO_ICMP

The IPPROTO_ICMP socket option makes it possible to send ICMP_ECHO messages andreceive the corresponding ICMP_ECHOREPLY messages without any special privileges.

Increased Default in ST_MAX_TAPESIn Red Hat Enterprise Linux 6.4, the number of supported tape drives has increased from 128 to512.

Increased Number of Supported IOMMUsThe number of supported input/output memory management units (IOMMUs) has beenincreased to be the same as the number of I/O Advanced Programmable Interrupt Controllers(APICs; defined in MAX_IO_APICS).

New Module ParametersThe following list summarizes new command line arguments passed to various kernel modules.For more information about the majority of these module parameters, refer to the output of the modinfo <module> command, for example, modinfo bna.

New kvm module parameter:

module_param(min_timer_period_us, uint, S_IRUGO | S_IWUSR);

min_timer_period_us — Do not allow the guest to program periodic timers with smallinterval, since the hrtimers are not throttled by the host scheduler, and allow tuning theinterval with this parameter. The default value is 500us.

New kvm-intel module parameter:


20

module_param_named(eptad, enable_ept_ad_bits, bool, S_IRUGO);

enable_ept_ad_bits — Parameter to control enabling/disabling A/D bits, if supportedby CPU. The default value is enabled.

New ata_piix module parameter:

module_param(prefer_ms_hyperv, int, 0);

prefer_ms_hyperv — On Hyper-V Hypervisors, the disks are exposed on both theemulated SATA controller and on the paravirtualized drivers. The CD/DVD devices areonly exposed on the emulated controller. Request to ignore ATA devices on this host.The default value is enabled.

New drm module parameters:

module_param_named(edid_fixup, edid_fixup, int, 0400);module_param_string(edid_firmware, edid_firmware, sizeof(edid_firmware), 0644);

edid_fixup — Minimum number of valid EDID header bytes (0-8). The default value is 6.

edid_firmware — Do not probe monitor, use specified EDID blob from built-in data or /lib/firmware instead.

New i915 module parameters:

module_param_named(lvds_channel_mode, i915_lvds_channel_mode, int, 0600);module_param_named(i915_enable_ppgtt, i915_enable_ppgtt, int, 0600);module_param_named(invert_brightness, i915_panel_invert_brightness, int, 0600);

New nouveau module parameter:

module_param_named(vram_type, nouveau_vram_type, charp, 0400);

New radeon module parameter:

module_param_named(lockup_timeout, radeon_lockup_timeout, int, 0444);

New i2c-ismt module parameters:

module_param(stop_on_error, uint, S_IRUGO);module_param(fair, uint, S_IRUGO);

New iw-cxgb4 module parameters:

module_param(db_delay_usecs, int, 0644);module_param(db_fc_threshold, int, 0644);

New mlx4_ib module parameter:

module_param_named(sm_guid_assign, mlx4_ib_sm_guid_assign, int, 0444);


21

New ib_qib module parameter:

module_param_named(cc_table_size, qib_cc_table_size, uint, S_IRUGO);

New bna module parameter:

module_param(bna_debugfs_enable, uint, S_IRUGO | S_IWUSR);

New cxgb4 module parameters:

module_param(dbfifo_int_thresh, int, 0644);module_param(dbfifo_drain_delay, int, 0644);

New e1000e module parameter:

module_param(debug, int, 0);

New igb module parameter:


New igbvf module parameter:


New ixgbe module parameter:


New ixgbevf module parameter:


New hv_netvsc module parameter:

module_param(ring_size, int, S_IRUGO);

New mlx4_core module parameter:

module_param(enable_64b_cqe_eqe, bool, 0444);

enable_64b_cqe_eqe — Enable 64 byte CQEs/EQEs when the firmware supports this.

New sfc module parameters:

module_param(vf_max_tx_channels, uint, 0444);module_param(max_vfs, int, 0444);

New ath5k module parameter:

module_param_named(no_hw_rfkill_switch, ath5k_modparam_no_hw_rfkill_switch, bool, S_IRUGO);

New iwlegacy module parameters:


22

module_param(led_mode, int, S_IRUGO);module_param(bt_coex_active, bool, S_IRUGO);

New wlcore module parameter:

module_param(no_recovery, bool, S_IRUSR | S_IWUSR);

New s390 scm_block module parameters:

module_param(nr_requests, uint, S_IRUGO);module_param(write_cluster_size, uint, S_IRUGO)

New s390 zfcp module parameters:

module_param_named(no_auto_port_rescan, no_auto_port_rescan, bool, 0600);module_param_named(datarouter, enable_multibuffer, bool, 0400);module_param_named(dif, enable_dif, bool, 0400);

New aacraid module parameters:

module_param(aac_sync_mode, int, S_IRUGO|S_IWUSR);module_param(aac_convert_sgl, int, S_IRUGO|S_IWUSR);

New be2iscsi module parameter:

module_param(beiscsi_##_name, uint, S_IRUGO);

New lpfc module parameter:

module_param(lpfc_req_fw_upgrade, int, S_IRUGO|S_IWUSR);

New megaraid_sas module parameters:

module_param(msix_vectors, int, S_IRUGO);module_param(throttlequeuedepth, int, S_IRUGO);module_param(resetwaittime, int, S_IRUGO);

New qla4xxx module parameters:

module_param(ql4xqfulltracking, int, S_IRUGO | S_IWUSR);module_param(ql4xmdcapmask, int, S_IRUGO);module_param(ql4xenablemd, int, S_IRUGO | S_IWUSR);

New hv_storvsc module parameter:

module_param(storvsc_ringbuffer_size, int, S_IRUGO);

New ehci-hcd driver parameter:

module_param(io_watchdog_force, uint, S_IRUGO);

io_watchdog_force — Force I/O watchdog to be ON for all devices.


23

New ie6xx_wdt module parameters:

module_param(timeout, uint, 0);module_param(nowayout, bool, 0);module_param(resetmode, byte, 0);

New snd-ua101 module parameter:

module_param(queue_length, uint, 0644);


24

Chapter 2. Device DriversThis chapter provides a comprehensive listing of all device drivers which were updated in Red HatEnterprise Linux 6.4.

Storage Drivers

The Direct Access Storage Devices (DASD) device driver has been updated to detect pathconfiguration errors that cannot be detected by hardware or microcode. Upon successful detection,the device driver does not use such paths. With this feature, for example, the DASD device driverdetects paths that are assigned to a specific subchannel but lead to different storage servers.

The zfcp device driver has been updated to add data structures and error handling to support theenhanced mode of the System z Fibre Channel Protocol (FCP) adapter card. In this mode, theadapter passes data directly from memory to the SAN (data routing) when memory on the adaptercard is blocked by large and slow I/O requests.

The mtip32xx driver has been updated to add support for the latest PCIe SSD drives.

The lpfc driver for Emulex Fibre Channel Host Bus Adapters has been updated to version8.3.5.86.1p.

The qla2xxx driver for QLogic Fibre Channel HBAs has been updated to version 8.04.00.04.06.4-k,which adds support for QLogic's 83XX Converged Network Adapter (CNA), 16 GBps FC support forQLogic adapters, and new Form Factor CNA for HP ProLiant servers.

The qla4xxxx driver has been updated to version v5.03.00.00.06.04-k0, which adds change_queue_depth API support, fixes a number of bugs, and introduces various enhancements.

The ql2400-firmware firmware for QLogic 4Gbps fibre channel HBA has been updated toversion 5.08.00.

The ql2500-firmware firmware for QLogic 4Gbps fibre channel HBA has been updated toversion 5.08.00.

The ipr driver for IBM Power Linux RAID SCSI HBAs has been updated to version 2.5.4, which addssupport for the Power7 6Gb SAS adapters and enables SAS VRAID capability on these adapters.

The hpsa driver has been updated to version 2.0.2-4-RH1 to add PCI-IDs for the HP Smart ArrayGeneration 8 family of controllers.

The bnx2i driver for Broadcom NetXtreme II iSCSI has been updated to version 2.7.2.2 with generalhardware support enablements. iSCSI and FCoE boot support on Broadcom devices is now fullysupported in Red Hat Enterprise Linux 6.4. These two features are provided by the bnx2i and bnx2fcBroadcom drivers.

The bnx2fc driver for the Broadcom Netxtreme II 57712 chip has been updated to version 1.0.12.

iSCSI and FCoE boot support on Broadcom devices is now fully supported in Red Hat EnterpriseLinux 6.4. These two features are provided by the bnx2i and bnx2fc Broadcom drivers.

The mpt2sas driver has been updated to version 13.101.00.00, which adds multi-segment modesupport for the Linux BSG Driver.

The Brocade bfa Fibre Channel and FCoE driver has been updated to version 3.0.23.0 whichincludes Brocade 1860 16Gbps Fibre Channel Adapter support, new hardware support in DellPowerEdge 12th Generation servers, and issue_lip support. The bfa firmware was updated toversion 3.0.3.1.

The be2iscsi driver for ServerEngines BladeEngine 2 Open iSCSI devices has been updated toversion 4.4.58.0r to add iSCSI netlink VLAN support.

The qib driver for TrueScale HCAs has been updated to the latest version with the followingenhancements:

Enhanced NUMA awareness

Chapter 2. Device Drivers

25

Congestion Control Agent (CCA) for Performance Scale Messaging (PSM) fabrics

Dual Rail for PSM fabrics

Performance enhancements and bug fixes

The following drivers have been updated to include latest upstream features and bug fixes: ahci, md/bitmap, raid0, raid1, raid10, and raid456.

Network Drivers

The netxen_nic driver for NetXen Multi port (1/10) Gigabit Network has been updated to version4.0.80, which adds miniDIMM support. The netxen_nic firmware has been updated to version4.0.588.

The bnx2x driver has been updated to the version 1.72.51-0 to include support for Broadcom57800/57810/57811/57840 chips as well as general bug fixes and updated firmware for Broadcom57710/57711/57712 chips. This update also includes the following enhancements:

Support for iSCSI offload and Data Center Bridging/Fibre Channel over Ethernet (DCB/FCOE) onBroadcom 57712/578xx chips. The Broadcom 57840 chip is supported in a 4x10G configurationonly and does not support iSCSI offload and FCoE. Future releases will support additionalconfigurations and iSCSI offload and FCoE.

Additional physical layer support, including Energy Efficient Ethernet (EEE).

iSCSI offload enhancements

OEM-specific features

The be2net driver for Emulex OneConnect 10GbE Network Adapters has been updated to version4.4.31.0r. The SR-IOV functionality of the Emulex be2net driver is now fully supported in Red HatEnterprise Linux 6.4. SR-IOV runs on all Emulex-branded and OEM variants of BE3-based hardware(with minimum firmware version 4.2.324.30), which all require the be2net driver software.

The ixgbevf driver has been updated to version 2.6.0-k to include the latest hardware support,enhancements, and bug fixes.

The cxgb4 driver for Chelsio Terminator4 10G Unified Wire Network Controllers has been updatedto add support for Chelsio's T480-CR and T440-LP-CR adapters.

The cxgb3 driver for the Chelsio T3 Family of network devices has been updated to version 1.1.5-ko.

The ixgbe driver for Intel 10 Gigabit PCI Express network devices has been updated to version3.9.15-k to include support for SR-IOV with Data Center Bridging (DCB) or Receive-Side Scaling(RSS), PTP support as a Technology Preview, latest hardware support, enhancements, and bugfixes.

The iw_cxgb3 driver has been updated.

The iw_cxgb4 driver has been updated.

The e1000e driver for Intel PRO/1000 network devices has been updated to add the latesthardware support, features, and provide a number of bug fixes.

The enic driver for Cisco 10G Ethernet devices has been updated to version 2.1.1.39.

The igbvf driver (Intel Gigabit Virtual Function Network driver) has been updated to the latestupstream version.

The igb driver for Intel Gigabit Ethernet Adapters has been updated to version 4.0.1 to add thelatest hardware support. Also, PTP support has been added to the igb driver as a TechnologyPreview.

The tg3 driver for Broadcom Tigon3 Ethernet devices has been updated to version 3.124 to addnew hardware support. Also, PTP support has been added to the tg3 driver as a TechnologyPreview.


26

The qlcnic driver for the HP NC-Series QLogic 10 Gigabit Server Adapters has been updated toversion 5.0.29.

The Brocade bna driver for Brocade 10Gb PCIe Ethernet Controllers driver has been updated toversion 3.0.23.0 to add new hardware support for Dell PowerEdge 12th Generation servers, andenable the use of non-Brocade Twinax Copper cables. The bna firmware was updated to version3.0.3.1.

The Broadcom NetXtreme II cnic driver has been updated to version 2.5.13 to include new features,bug fixes, and support for new OEM platforms.

The wireless drivers have been updated to upstream version 3.5, including the iwlwifi driver forIntel wireless LAN adapters and the ath9k driver for PCI/PCI-Express adapters with Atheroswireless LAN chipsets. Additionally, the rt2800pci and rt2800usb drivers have been added tosupport various USB and PCI/PCI-Express adapters with Ralink wireless LAN chipsets.

Miscellaneous Drivers

The intel_idle cpuidle driver for Intel processors has been updated to add support for Intel'sXeon E5-XXX V2 series of processors.

The wacom driver has been updated to add support for the CTL-460 Wacom Bamboo Pen, theWacom Intuos5 Tablet, and the Wacom Cintiq 22HD Pen Display.

The ALSA HDA audio driver has been updated to enable or improve support for new hardware andfix a number of bugs.

The mlx4_en driver has been updated to the latest upstream version.

The mlx4_ib driver has been updated to the latest upstream version.

The mlx4_core driver has been updated to the latest upstream version.

The z90crypt device driver has been updated to support the new Crypto Express 4 (CEX4)adapter card.

Chapter 2. Device Drivers

27

Chapter 3. Technology PreviewsThis chapter provides a list of all available Technology Previews in Red Hat Enterprise Linux 6.4.

Technology Preview features are currently not supported under Red Hat Enterprise Linux subscriptionservices, may not be functionally complete, and are generally not suitable for production use. However,these features are included as a customer convenience and to provide the feature with wider exposure.

Customers may find these features useful in a non-production environment. Customers are also free toprovide feedback and functionality suggestions for a Technology Preview feature before it becomes fullysupported. Errata will be provided for high-severity security issues.

During the development of a Technology Preview feature, additional components may become availableto the public for testing. It is the intention of Red Hat clustering to fully support Technology Previewfeatures in a future release.

3.1. Storage and File SystemsCross Realm Kerberos Trust Functionality for samba4 Libraries

The Cross Realm Kerberos Trust functionality provided by Identity Management, which relieson the capabilities of the samba4 client library, is included as a Technology Preview startingwith Red Hat Enterprise Linux 6.4. This functionality uses the libndr-nbt library to prepareConnection-less Lightweight Directory Access Protocol (CLDAP) messages.

Package: samba-3.6.9-151

Open multicast ping (Omping), BZ#657370Open Multicast Ping (Omping) is a tool to test the IP multicast functionality, primarily in the localnetwork. This utility allows users to test IP multicast functionality and assists in the diagnosingif an issues is in the network configuration or elsewhere (that is, a bug). In Red Hat EnterpriseLinux 6 Omping is provided as a Technology Preview.

Package: omping-0.0.4-1

System Information Gatherer and Reporter (SIGAR)The System Information Gatherer and Reporter (SIGAR) is a library and command-line tool foraccessing operating system and hardware level information across multiple platforms andprogramming languages. In Red Hat Enterprise Linux 6.4, SIGAR is considered a TechnologyPreview package.

Package: sigar-1.6.5-0.4.git58097d9

fsfreezeRed Hat Enterprise Linux 6 includes fsfreeze as a Technology Preview. fsfreeze is a newcommand that halts access to a file system on a disk. fsfreeze is designed to be used withhardware RAID devices, assisting in the creation of volume snapshots. For more details on thefsfreeze utility, refer to the fsfreeze(8) man page.

Package: util-linux-ng-2.17.2-12.9

DIF/DIX supportDIF/DIX, is a new addition to the SCSI Standard and a Technology Preview in Red Hat


28

https://bugzilla.redhat.com/show_bug.cgi?id=657370

Enterprise Linux 6. DIF/DIX increases the size of the commonly used 512-byte disk block from512 to 520 bytes, adding the Data Integrity Field (DIF). The DIF stores a checksum value for thedata block that is calculated by the Host Bus Adapter (HBA) when a write occurs. The storagedevice then confirms the checksum on receive, and stores both the data and the checksum.Conversely, when a read occurs, the checksum can be checked by the storage device, and bythe receiving HBA.

The DIF/DIX hardware checksum feature must only be used with applications that exclusivelyissue O_DIRECT I/O. These applications may use the raw block device, or the XFS file system inO_DIRECT mode. (XFS is the only file system that does not fall back to buffered I/O when doingcertain allocation operations.) Only applications designed for use with O_DIRECT I/O andDIF/DIX hardware should enable this feature.

For more information, refer to section Block Devices with DIF/DIX Enabled in the StorageAdministration Guide.

Package: kernel-2.6.32-358

Filesystem in user spaceFilesystem in Userspace (FUSE) allows for custom file systems to be developed and run inuser space.

Package: fuse-2.8.3-4

Btrfs, BZ#614 121Btrfs is under development as a file system capable of addressing and managing more files,larger files, and larger volumes than the ext2, ext3, and ext4 file systems. Btrfs is designed tomake the file system tolerant of errors, and to facilitate the detection and repair of errors whenthey occur. It uses checksums to ensure the validity of data and metadata, and maintainssnapshots of the file system that can be used for backup or repair. The Btrfs TechnologyPreview is only available on AMD64 and Intel 64 architectures.

Btrfs is still experimental

Red Hat Enterprise Linux 6 includes Btrfs as a technology preview to allow you toexperiment with this file system. You should not choose Btrfs for partitions that willcontain valuable data or that are essential for the operation of important systems.

Package: btrfs-progs-0.20-0.2.git91d9eec

LVM Application Programming Interface (API)Red Hat Enterprise Linux 6 features the new LVM application programming interface (API) as aTechnology Preview. This API is used to query and control certain aspects of LVM.

Package: lvm2-2.02.98-9

FS-CacheFS-Cache in Red Hat Enterprise Linux 6 enables networked file systems (for example, NFS) tohave a persistent cache of data on the client machine.

Chapter 3. Technology Previews

29

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/installcfg-special.html


Package: cachefilesd-0.10.2-1

3.2. Networkinglinuxptp

The linuxptp package, included in Red Hat Enterprise Linux 6.4 as a Technology Preview, is animplementation of the Precision T ime Protocol (PTP) according to IEEE standard 1588 for Linux.The dual design goals are to provide a robust implementation of the standard and to use themost relevant and modern Application Programming Interfaces (API) offered by the Linux kernel.Supporting legacy APIs and other platforms is not a goal.

Package: linuxptp-0-0.6.20121114gite6bbbb

PTP support in kernel driversPTP support has been added as a technology preview to the ixgbe, igb, and tg3 kernel drivers.

Packages: kernel-2.6.32-335

QFQ queuing disciplineIn Red Hat Enterprise Linux 6, the tc utility has been updated to work with the Quick FairScheduler (QFQ) kernel features. Users can now take advantage of the new QFQ trafficqueuing discipline from userspace. This feature is considered a Technology Preview.


vios-proxy, BZ#721119vios-proxy is a stream-socket proxy for providing connectivity between a client on a virtualguest and a server on a Hypervisor host. Communication occurs over virtio-serial links.

Package: vios-proxy-0.1-1

IPv6 support in IPVSThe IPv6 support in IPVS (IP Virtual Server) is considered a Technology Preview.


3.3. Clustering and High Availabilitypcs

The pcs package has been added to Red Hat Enterprise Linux 6 as a Technology Preview.This package provides a command-line tool configure and manage the corosync andpacemaker utilities.

Package: pcs-0.9.26-10

luci support for fence_sanlockThe luci tool now supports the Sanlock fence agent as a Technology Preview, which is


30


available in the luci's list of agents.

Package: luci-0.26.0-37

Recovering a node via a hardware watchdog deviceNew fence_sanlock agent and checkquorum.wdmd, included in Red Hat Enterprise Linux 6.4 asa Technology Preview, provide new mechanisms to trigger the recovery of a node via ahardware watchdog device. Tutorials on how to enable this Technology Preview will beavailable at https://fedorahosted.org/cluster/wiki/HomePage

Note that SELinux in enforcing mode is currently not supported.

Package: cluster-3.0.12.1-49

keepalivedRed Hat Enterprise Linux 6.4 includes the keepalived package as a Technology Preview. Thekeepalived package provides simple and robust facilities for load-balancing and high-availability.The load-balancing framework relies on the well-know and widely used Linux Virtual Serverkernel module providing Layer4 network load-balancing. The keepalived daemon implements aset of health checkers to load-balanced server pools according to their state. The keepaliveddaemon also implements the Virtual Router Redundancy Protocol (VRRP), allowing router ordirector failover to achieve high availability.

Package: keepalived-1.2.7-3

HAProxyHAProxy is a stand-alone, layer-7, high-performance network load balancer for TCP and HTTP-based applications which can perform various types of scheduling based on the content of theHTTP requests. Red Hat Enterprise Linux 6.4 introduces the haproxy package as aTechnology Preview.

Package: haproxy-1.4.22-3

Utilizing CPG API for inter-node lockingRgmanager includes a feature which enables it to utilize Corosync's Closed Process Group(CPG) API for inter-node locking. This feature is automatically enabled when Corosync's RRPfeature is enabled. Corosync's RRP feature is considered fully supported. However, when usedwith the rest of the High-Availability Add-Ons, it is considered a Technology Preview.

Package: rgmanager-3.0.12.1-17

Support for redundant ring for standalone Corosync, BZ#7224 69Red Hat Enterprise Linux 6 includes support for redundant ring with autorecovery feature as aTechnology Preview. Refer to Section 4.7, “Clustering” for a list of known issues associatedwith this Technology Preview.

Package: corosync-1.4.1-15

corosync-cpgtool, BZ#688260The corosync-cpgtool now specifies both interfaces in a dual ring configuration. This feature


31

https://fedorahosted.org/cluster/wiki/HomePage



is a Technology Preview.

Package: corosync-1.4.1-15

Disabling rgmanager in /etc/cluster.conf, BZ#723925As a consequence of converting the /etc/cluster.conf configuration file to be used bypacemaker, rgmanager must be disabled. The risk of not doing this is high; after asuccessful conversion, it would be possible to start rgmanager and pacemaker on the samehost, managing the same resources.

Consequently, Red Hat Enterprise Linux 6 includes a feature (as a Technology Preview) thatforces the following requirements:

rgmanager must refuse to start if it sees the <rm disabled="1"> flag in /etc/cluster.conf.

rgmanager must stop any resources and exit if the <rm disabled="1"> flag appears in/etc/cluster.conf during a reconfiguration.

Package: rgmanager-3.0.12.1-17

libqb packageThe libqb package provides a library with the primary purpose of providing high performanceclient server reusable features, such as high performance logging, tracing, inter-processcommunication, and polling. This package is introduced as a dependency of the pacemakerpackage, and is considered a Technology Preview.

Package: libqb-0.14.2-3

pacemaker, BZ#4 56895Pacemaker, a scalable high-availability cluster resource manager, is included in Red HatEnterprise Linux 6 as a Technology Preview. Pacemaker is not fully integrated with the Red Hatcluster stack.

Package: pacemaker-1.1.8-7

3.4. AuthenticationSimultaneous maintaining of TGTs for multiple KDCs

Kerberos version 1.10 added a new cache storage type, DIR:, which allows Kerberos tomaintain T icket Granting T ickets (TGTs) for multiple Key Distribution Centers (KDCs)simultaneously and auto-select between them when negotiating with Kerberized resources. InRed Hat Enterprise Linux 6.4, SSSD has been enhanced to allow you to select the DIR: cachefor users that are logging in via SSSD. This feature is introduced as a Technology Preview.

Package: sssd-1.9.2-82

3.5. SecurityTPM


32



TPMTPM (Trusted Platform Module) hardware can create, store and use RSA keys securely(without ever being exposed in memory), verify a platform's software state using cryptographichashes and more. The trousers and tpm-tools packages are considered a Technology Preview.

Packages: trousers-0.3.4-4, tpm-tools-1.3.4-2

3.6. Devicesmpt2sas lockless mode

The mpt2sas driver is fully supported. However, when used in the lockless mode, the driver isa Technology Preview.


3.7. KernelThin-provisioning and scalable snapshot capabilit ies

The dm-thinp targets, thin and thin-pool, provide a device mapper device with thin-provisioning and scalable snapshot capabilities. This feature is available as a TechnologyPreview.


Kernel Media supportThe following features are presented as Technology Previews:

The latest upstream video4linux

Digital video broadcasting

Primarily infrared remote control device support

Various webcam support fixes and improvements


Remote audit loggingThe audit package contains the user space utilities for storing and searching the audit recordsgenerated by the audit subsystem in the Linux 2.6 kernel. Within the audispd-plugins sub-package is a utility that allows for the transmission of audit events to a remote aggregatingmachine. This remote audit logging application, audisp-remote , is considered a TechnologyPreview in Red Hat Enterprise Linux 6.

Package: audispd-plugins-2.2-2

Linux (NameSpace) Container [LXC]Linux containers provide a flexible approach to application runtime containment on bare-metalsystems without the need to fully virtualize the workload. Red Hat Enterprise Linux 6 providesapplication level containers to separate and control the application resource usage policies viacgroups and namespaces. This release includes basic management of container life-cycle by


33

allowing creation, editing and deletion of containers via the libvirt API and the virt-managerGUI. Linux Containers are a Technology Preview.

Packages: libvirt-0.9.10-21, virt-manager-0.9.0-14

Diagnostic pulse for the fence_ipmilan agent, BZ#655764A diagnostic pulse can now be issued on the IPMI interface using the fence_ipmilan agent.This new Technology Preview is used to force a kernel dump of a host if the host is configuredto do so. Note that this feature is not a substitute for the off operation in a production cluster.

Package: fence-agents-3.1.5-25

3.8. VirtualizationPerformance monitoring in KVM guests, BZ#64 5365

KVM can now virtualize a performance monitoring unit (vPMU) to allow virtual machines to useperformance monitoring. Note that the -cpu flag must be set when using this feature.

With this feature, Red Hat virtualization customers running Red Hat Enterprise Linux 6 guestscan use the CPU's PMU counter while using the performance tool for profiling. The virtualperformance monitoring unit feature allows virtual machine users to identify sources ofperformance problems in their guests, thereby improving the ability to profile a KVM guest fromthe host.

This feature is a Technology Preview in Red Hat Enterprise Linux 6.4.


Dynamic virtual CPU allocationKVM now supports dynamic virtual CPU allocation, also called vCPU hot plug, to dynamicallymanage capacity and react to unexpected load increases on their platforms during off-peakhours.

The virtual CPU hot-plugging feature gives system administrators the ability to dynamicallyadjust CPU resources in a guest. Because a guest no longer has to be taken offline to adjustthe CPU resources, the availability of the guest is increased.

This feature is a Technology Preview in Red Hat Enterprise Linux 6.4. Currently, only the vCPUhot-add functionality works. The vCPU hot-unplug feature is not yet implemented.

Package: qemu-kvm-0.12.1.2-2.355

System monitoring via SNMP, BZ#64 2556This feature provides KVM support for stable technology that is already used in data centerwith bare metal systems. SNMP is the standard for monitoring and is extremely well understoodas well as computationally efficient. System monitoring via SNMP in Red Hat Enterprise Linux 6allows the KVM hosts to send SNMP traps on events so that hypervisor events can becommunicated to the user via standard SNMP protocol. This feature is provided through theaddition of a new package: libvirt-snmp. This feature is a Technology Preview.

Package: libvirt-snmp-0.0.2-3


34




Wire speed requirement in KVM network driversVirtualization and cloud products that run networking work loads need to run wire speeds. Upuntil Red Hat Enterprise Linux 6.1, the only way to reach wire speed on a 10 GB Ethernet NICwith a lower CPU utilization was to use PCI device assignment (passthrough), which limits otherfeatures like memory overcommit and guest migration

The macvtap/vhost zero-copy capabilities allow the user to use those features when highperformance is required. This feature improves performance for any Red Hat Enterprise Linux6.x guest in the VEPA use case. This feature is introduced as a Technology Preview.

Package: qemu-kvm-0.12.1.2-2.355


35

Chapter 4. Known Issues

4.1. Installationanaconda component, BZ#895982

Physical-extents size less than 32MB on top of an MD physical volume leads to problems withcalculating the capacity of a volume group. To work around this problem, use a physical-extentsize of 32MB or leave space double the physical-extent size free when allocating logicalvolumes. Another option is to change the default 4MB size of a physical extent to 32MB.

anaconda component, BZ#87564 4After upgrading the system using kickstart, IBM System z machines halt instead of rebooting,despite the instruction to reboot. To work around this problem, boot the system manually.

anaconda componentSetting the qla4xxx parameter ql4xdisablesysfsboot to 1 may cause boot from SAN failures.

anaconda componentTo automatically create an appropriate partition table on disks that are uninitialized or containunrecognized formatting, use the zerombr kickstart command. The --initlabel option ofthe clearpart command is not intended to serve this purpose.

anaconda component, BZ#676025Users performing an upgrade using the Anaconda's text mode interface who do not have a bootloader already installed on the system, or who have a non-GRUB boot loader, need to select Skip Boot Loader Configuration during the installation process. Boot loaderconfiguration will need to be completed manually after installation. This problem does not affectusers running Anaconda in the graphical mode (graphical mode also includes VNC connectivitymode).

anaconda componentOn s390x systems, you cannot use automatic partitioning and encryption. If you want to usestorage encryption, you must perform custom partitioning. Do not place the /boot volume on anencrypted volume.

anaconda componentThe order of device names assigned to USB attached storage devices is not guaranteed.Certain USB attached storage devices may take longer to initialize than others, which can resultin the device receiving a different name than you expect (for example, sdc instead of sda).

During installation, verify the storage device size, name, and type when configuring partitionsand file systems.

kernel componentRecent Red Hat Enterprise Linux 6 releases use a new naming scheme for network interfaceson some machines. As a result, the installer may use different names during an upgrade in


36




certain scenarios (typically em1 is used instead of eth0 on new Dell machines). However, thepreviously used network interface names are preserved on the system and the upgradedsystem will still use the previously used interfaces. This is not the case for Yum upgrades.

anaconda componentThe kdump default on feature currently depends on Anaconda to insert the crashkernel=parameter to the kernel parameter list in the boot loader's configuration file.

firstaidkit componentThe firstaidkit-plugin-grub package has been removed from Red Hat Enterprise Linux 6.2. As aconsequence, in rare cases, the system upgrade operation may fail with unresolveddependencies if the plug-in has been installed in a previous version of Red Hat EnterpriseLinux. To avoid this problem, the firstaidkit-plugin-grub package should be removed beforeupgrading the system. However, in most cases, the system upgrade completes as expected.

anaconda component, BZ#623261In some circumstances, disks that contain a whole disk format (for example, an LVM PhysicalVolume populating a whole disk) are not cleared correctly using the clearpart --initlabel kickstart command. Adding the --all switch—as in clearpart --initlabel --all—ensures disks are cleared correctly.

anaconda componentWhen installing on the IBM System z architecture, if the installation is being performed overSSH, avoid resizing the terminal window containing the SSH session. If the terminal window isresized during the installation, the installer will exit and the installation will terminate.

yaboot component, BZ#613929The kernel image provided on the CD/DVD is too large for Open Firmware. Consequently, onthe POWER architecture, directly booting the kernel image over a network from the CD/DVD isnot possible. Instead, use yaboot to boot from a network.

anaconda componentThe Anaconda partition editing interface includes a button labeled Resize. This feature isintended for users wishing to shrink an existing file system and an underlying volume to makeroom for an installation of a new system. Users performing manual partitioning cannot use theResize button to change sizes of partitions as they create them. If you determine a partitionneeds to be larger than you initially created it, you must delete the first one in the partitioningeditor and create a new one with the larger size.

system-config-kickstart componentChannel IDs (read, write, data) for network devices are required for defining and configuringnetwork devices on IBM S/390 systems. However, system-config-kickstart—the graphicaluser interface for generating a kickstart configuration—cannot define channel IDs for a networkdevice. To work around this issue, manually edit the kickstart configuration that system-config-kickstart generates to include the desired network devices.


37



4.2. Entitlementsubscription-manager component

When firstboot is running in text mode, the user can only register via Red Hat NetworkRegister, not with subscription-manager. Both are available in GUI mode.

subscription-manager componentIf multiple repositories are enabled, subscription-manager installs product certificates from allrepositories instead of installing the product certificate only from the repository from which theRPM package was installed.

subscription-manager componentfirstboot fails to provide Red Hat Network registration to a virtual machine in a NAT-basednetwork; for example, in the libvirt environment. Note that this problem only occurs during thefirst boot after installation. If you run firstboot manually later, the registration finishessuccessfully.

4.3. Deployment389-ds-base component, BZ#878111

The ns-slapd utility terminates unexpectedly if it cannot rename the dirsrv-<instance> logfiles in the /var/log/ directory due to incorrect permissions on the directory.

cpuspeed component, BZ#626893Some HP Proliant servers may report incorrect CPU frequency values in /proc/cpuinfo or /sys/device/system/cpu/*/cpufreq. This is due to the firmware manipulating the CPUfrequency without providing any notification to the operating system. To avoid this ensure thatthe HP Power Regulator option in the BIOS is set to OS Control. An alternative availableon more recent systems is to set Collaborative Power Control to Enabled.

releng component, BZ#64 4 778Some packages in the Optional repositories on RHN have multilib file conflicts. Consequently,these packages cannot have both the primary architecture (for example, x86_64) andsecondary architecture (for example, i686) copies of the package installed on the samemachine simultaneously. To work around this issue, install only one copy of the conflictingpackage.

grub component, BZ#695951On certain UEFI-based systems, you may need to type BOOTX64 rather than bootx64 to bootthe installer due to case sensitivity issues.

grub component, BZ#698708When rebuilding the grub package on the x86_64 architecture, the glibc-static.i686 packagemust be used. Using the glibc-static.x86_64 package will not meet the build requirements.


38






4.4. Virtualizationkernel component

In Red Hat Enterprise Linux 6.4, if Large Receive Offload (LRO) is enabled with the macvtapdriver, a kernel panic can occur on the host machine. This problem was observed on machinesusing Broadcom, QLogic and Intel cards. To work around the problem, disable LRO by running ethtool -K large-receive-offload off.

kernel componentThere is a known issue with the Microsoft Hyper-V host. If a legacy network interface controller(NIC) is used on a multiple-CPU virtual machine, there is an interrupt problem in the emulatedhardware when the IRQ balancing daemon is running. Call trace information is logged in the /var/log/messages file.

libvirt component, BZ#888635Under certain circumstances, virtual machines try to boot from an incorrect device after anetwork boot failure. For more information, please refer to this article on Customer Portal.

qemu-kvm component, BZ#894 277"Fast startup" used in Microsoft Windows 8 is not fully compatible with qemu-kvm in Red HatEnterprise Linux 6. Windows 8 can therefore fail to boot the second time after its shutdown. Toensure successful boot of Windows 8 inside qemu-kvm, disable Windows 8 "fast startup" inSystem Settings.

numad component, BZ#872524If numad is run on a system with a task that has very large resident memory (>= 50% totalsystem memory), then the numad-initiated NUMA page migrations for that task can causeswapping. The swapping can then induce long latencies for the system. An example is runninga 256GB Microsoft Windows KVM Virtual Machine on a 512GB host. The Windows guest willfault in all pages on boot in order to zero them. On a four node system, numad will detect that a256GB task can fit in a subset of two or three nodes, and then attempt to migrate it to thatsubset. Swapping can then occur and lead to latencies. These latencies may then cause theWindows guest to hang, as timing requirements are no longer met. Therefore, on a system withonly one or two very large Windows machines, it is recommended to disable numad.

Note that this problem is specific to Windows 2012 guests that use more memory than exists ina single node. Windows 2012 guests appear to allocate memory more gradually than otherWindows guest types, which triggers the issue. Other varieties of Windows guests do not seemto experience this problem. You can work around this problem by:

limiting Windows 2012 guests to less memory than exists in a given node -- so on a typical4 node system with even memory distribution, the guest would need to be less than the totalamount of system memory divided by 4; or

allowing the Windows 2012 guests to finish allocating all of its memory before allowingnumad to run. numad will handle extremely huge Windows 2012 guests correctly afterallowing a few minutes for the guest to finish allocating all of its memory.

grubby component, BZ#893390


39


https://access.redhat.com/site/node/306863




When a Red Hat Enterprise Linux 6.4 guest updates the kernel and then the guest is turned ofthrough Microsoft Hyper-V Manager, the guest fails to boot due to incomplete grub information.This is because the data is not synced properly to disk when the machine is turned off throughHyper-V Manager. To work around this problem, execute the sync command before turning theguest off.

kernel componentUsing the mouse scroll wheel does not work on Red Hat Enterprise Linux 6.4 guests that rununder Microsoft Hyper-V Manager installed on a physical machine. However, the scroll wheelworks as expected when the vncviewer utility is used.

kernel component, BZ#874 4 06Microsoft Windows Server 2012 guests using the e1000 driver can become unresponsiveconsuming 100% CPU during reboot.

kernel componentWhen a kernel panic is triggered on a Microsoft Hyper-V guest, the kdump utility does notcapture the kernel error information; an error is only displayed on the command line.

kernel componentDue to a bug in Microsoft Hyper-V Server 2008 R2, attempting to remove and then reload thehv_utils module on a Hyper-V guest running Red Hat Enterprise Linux 6.4 will cause ashutdown and the heartbeat service to not work. To work around this issue, upgrade the hostsystem to Microsoft Hyper-V Server 2012.

quemu-kvm component, BZ#871265AMD Opteron G1, G2 or G3 CPU models on qemu-kvm use the family and models values asfollows: family=15 and model=6. If these values are larger than 20, the lahfm_lm CPU featureis ignored by Linux guests, even when the feature is enabled. To work around this problem, usea different CPU model, for example AMD Opteron G4.

qemu-kvm component, BZ#860929KVM guests must not be allowed to update the host CPU microcode. KVM does not allows thisand instead always returns the same microcode revision or patch level value to the guest. If theguest tries to update the CPU microcode, it will fail and show an error message similar to:

CPU0: update failed (for patch_level=0x6000624)

To work around this, configure the guest to not install CPU microcode updates; for example,uninstall the microcode_ctl package Red Hat Enterprise Linux of Fedora guests.

virt-p2v component, BZ#816930Converting a physical server running either Red Hat Enterprise Linux 4 or Red Hat EnterpriseLinux 5 which has its file system root on an MD device is not supported. Converting such aguest results in a guest which fails to boot. Note that conversion of a Red Hat Enterprise Linux6 server which has its root on an MD device is supported.


40





virt-p2v component, BZ#808820When converting a physical host with a multipath storage, Virt-P2V presents all available pathsfor conversion. Only a single path must be selected. This must be a currently active path.

virtio-win component, BZ#615928The balloon service on Windows 7 guests can only be started by the Administrator user.

libvirt component, BZ#62264 9libvirt uses transient iptables rules for managing NAT or bridging to virtual machine guests.Any external command that reloads the iptables state (such as running system-config-firewall) will overwrite the entries needed by libvirt . Consequently, after running any commandor tool that changes the state of iptables, guests may lose access to the network. To workaround this issue, use the service libvirt reload command to restore libvirt 'sadditional iptables rules.

virtio-win component, BZ#612801A Windows virtual machine must be restarted after the installation of the kernel Windows driverframework. If the virtual machine is not restarted, it may crash when a memory balloon operationis performed.

qemu-kvm component, BZ#720597Installation of Windows 7 Ultimate x86 (32-bit) Service Pack 1 on a guest with more than 4GB ofRAM and more than one CPU from a DVD medium often crashes during the final steps of theinstallation process due to a system hang. To work around this issue, use the Windows Updateutility to install the Service Pack.

qemu-kvm component, BZ#612788A dual function Intel 82576 Gigabit Ethernet Controller interface (codename: Kawela, PCIVendor/Device ID: 8086:10c9) cannot have both physical functions (PF's) device-assigned to aWindows 2008 guest. Either physical function can be device assigned to a Windows 2008guest (PCI function 0 or function 1), but not both.

virt-v2v component, BZ#618091The virt-v2v utility is able to convert guests running on an ESX server. However, if an ESXguest has a disk with a snapshot, the snapshot must be on the same datastore as theunderlying disk storage. If the snapshot and the underlying storage are on different datastores,virt-v2v will report a 404 error while trying to retrieve the storage.

virt-v2v component, BZ#678232The VMware Tools application on Microsoft Windows is unable to disable itself when it detectsthat it is no longer running on a VMware platform. Consequently, converting a MicrosoftWindows guest from VMware ESX, which has VMware Tools installed, will result in errors.These errors usually manifest as error messages on start-up, and a "Stop Error" (also knownas a BSOD) when shutting down the guest. To work around this issue, uninstall VMware Toolson Microsoft Windows guests prior to conversion.


41









4.5. Storage and File SystemsDriver Update Disk component, BZ#904 94 5

The hpsa driver installed from the AMD64 and Intel 64 Driver Update Program ISO might not beloaded properly on Red Hat Enterprise Linux 6.3. Consequently, the system can becomeunresponsive. To work around this problem, use the pci=nomsi kernel parameter beforeinstalling the driver from the ISO.

kernel component, BZ#91864 7Thin provisioning uses reference counts to indicate that data is shared between a thin volumeand snapshots of the thin volume. There is a known issue with the way reference counts aremanaged in the case when a discard is issued to a thin volume that has snapshots. Creatingsnapshots of a thin volume and then issuing discards to the thin volume can therefore result indata loss in the snapshot volumes. Users are strongly encouraged to disable discard supporton the thin-pool for the time being. To do so using lvm2 while the pool is offline, use the lvchange --discard ignore <pool> command. Any discards that might be issued tothin volumes will be ignored.

kernel componentStorage that reports a discard_granularity that is not a power of two will cause the kernel toimproperly issue discard requests to the underlying storage. This results in I/O errorsassociated with the failed discard requests. To work around the problem, if possible, do notupgrade to newer vendor storage firmware that reports discard_granularity that is not a powerof two.

parted componentUsers might be unable to access a partition created by parted. To work around this problem,reboot the machine.

lvm2 component, BZ#852812When filling a thin pool to 100% by writing to thin volume device, access to all thin volumesusing this thin pool can be blocked. To prevent this, try not to overfill the pool. If the pool isoverfilled and this error occurs, extend the thin pool with new space to continue using the pool.

dracut componentThe Qlogic QLA2xxx driver can miss some paths after booting from Storage Area Network(SAN). To workaround this problem, run the following commands:

echo "options qla2xxx ql2xasynclogin=0" > /etc/modprobe.d/qla2xxx.confmkinitrd /boot/initramfs-`uname -r`.img `uname -r` --force

lvm2 component, BZ#9034 11Activating a logical volume can fail if the --thinpool and --discards options are specifiedon logical-volume creation. To work around this problem, manually deactivate all thin volumesrelated to the changed thin pool prior to running the lvchange command.

kernel component


42





Unloading the nfs module can cause the system to terminate unexpectedly if the fsx utility wasran with NFSv4.1 before.

kernel componentDue to a bug in the CIFS mount code, it is not possible to mount Distributed File System (DFS)shares in Red Hat Enterprise Linux 6.4.

device-mapper-multipath componentWhen the multipathd service is not running, failed devices will not be restored. However, themultipath command gives no indication that multipathd is not running. Users can unknowinglyset up multipath devices without starting the multipathd service, keeping failed paths fromautomatically getting restored. Make sure to start multipathing by

either running:

~]# mpathconf --enable~]# service multipathd start

or:

~]# chkconfig multipathd on~]# service multipathd start

multipathd will automatically start on boot, and multipath devices will automatically restorefailed paths.

lvm2 component, BZ#837603When the administrator disables use of the lvmetad daemon in the lvm.conf file, but thedaemon is still running, the cached metadata are remembered until the daemon is restarted.However, if the use_lvmetad parameter in lvm.conf is reset to 1 without an intervening lvmetad restart, the cached metadata can be incorrect. Consequently, VG metadata can beoverwritten with previous versions. To work around this problem, stop the lvmedat daemonmanually when disabling use_lvmetad in lvm.conf. The daemon can only be restarted after use_lvmetad has been set to 1. To recover from an out-of-sync lvmetad cache, execute thepvscan --cache command or restart lvmetad. To restore metadata to correct versions, usevgcfrestore with a corresponding file in /etc/lvm/archive.

lvm2 component, BZ#563927Due to the limitations of the LVM 'mirror' segment type, it is possible to encounter a deadlocksituation when snapshots are created of mirrors. The deadlock can occur if snapshot changes(e.g. creation, resizing or removing) happen at the same time as a mirror device failure. In thiscase, the mirror blocks I/O until LVM can respond to the failure, but the snapshot is holding theLVM lock while trying to read the mirror.

If the user wishes to use mirroring and take snapshots of those mirrors, then it is recommendedto use the 'raid1' segment type for the mirrored logical volume instead. This can be done byadding the additional arguments '--type raid1' to the command that creates the mirrored logicalvolume, as follows:


43



~]$ lvcreate --type raid1 -m 1 -L 1G -n my_mirror my_vg

kernel component, BZ#606260The NFSv4 server in Red Hat Enterprise Linux 6 currently allows clients to mount using UDPand advertises NFSv4 over UDP with rpcbind. However, this configuration is not supported byRed Hat and violates the RFC 3530 standard.

lvm2 componentThe pvmove command cannot currently be used to move mirror devices. However, it is possibleto move mirror devices by issuing a sequence of two commands. For mirror images, add a newimage on the destination PV and then remove the mirror image on the source PV:

~]$ lvconvert -m +1 <vg/lv> <new PV>~]$ lvconvert -m -1 <vg/lv> <old PV>

Mirror logs can be handled in a similar fashion:

~]$ lvconvert --mirrorlog core <vg/lv>~]$ lvconvert --mirrorlog disk <vg/lv> <new PV>

or

~]$ lvconvert --mirrorlog mirrored <vg/lv> <new PV>~]$ lvconvert --mirrorlog disk <vg/lv> <old PV>

4.6. Networkingsamba4 component, BZ#878168

If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an ADserver. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the ipa trust-add command will fail even if it would be possible to use IPv4. To work around thisproblem, add the IPv4 address of the AD server to the /etc/hosts file. In this case, theFreeIPA server will use only the IPv4 address and executing ipa trust-add will besuccessful.

kernel componentDestroying the root port before any NPIV ports can cause unexpected system behavior,including a full system crash. Note that one instance where the root port is destroyed before theNPIV ports is when the system is shut down. To work around this problem, destroy NPIV portsbefore destroying the root port that the NPIV ports were created on. This means that for eachcreated NPIV port, the user should write to the sysfs vport_delete interface to delete thatNPIV port. This should be done before the root port is destroyed. Users are advised to scriptthe NPIV port deletion and configure the system such that the script is executed before the fcoe service is stopped, in the shutdown sequence.

kernel componentA Linux LIO FCoE target causes the bfa driver to reset all FCoE targets which might lead to


44



data corruption on LUN. To avoid these problems, do not use the bfa driver with a Linux FCoEtarget.

NetworkManager component, BZ#896198A GATEWAY setting in the /etc/sysconfig/network file causes NetworkManager toassign that gateway to all interfaces with static IP addresses, even if their configuration did notspecify a gateway or specified a different gateway. Interfaces have the incorrect gatewayinformation and the wrong interface may have the default route. Instead of using GATEWAY in /etc/sysconfig/network to specify which interface receives the default route, set DEFROUTE=no in each ifcfg file that should not have the default route. Any interfaceconnected using configuration from an ifcfg file containing DEFROUTE=no will never receivethe default route.

kernel componentTypically, on platforms with no Intelligent Platform Management Interface (IPMI) hardware theuser can see the following message the on the boot console and in dmesg log:

Could not set up I/O space

This message can be safely ignored, unless the system really does have IPMI hardware. In thatcase, the message indicates that the IPMI hardware could not be initialized. In order to supportAdvanced Configuration and Power Interface (ACPI) opregion access to IPMI functionality earlyin the boot, the IPMI driver has been statically linked with the kernel image. This means that theIPMI driver is "loaded" whether or not there is any hardware. The IPMI driver will try to initializethe IPMI hardware, but if there is no IPMI hardware present on the booting platform, the driverwill print error messages on the console and in the dmesg log. Some of these error messagesdo not identify themselves as having been issued by the IPMI driver, so they can appear to beserious, when they are harmless.

kernel componentShutting down the fcoe-target service while the Fibre Channel over Ethernet (FCoE) canlead to a kernel crash. Please minimize FCoE traffic before stopping or restarting this service.

fcoe-utils componentAfter an ixgbe Fibre Channel over Ethernet (FCoE) session is created, server reboot can causesome or all of the FCoE sessions to not be created automatically. To work around this problem,follow the following steps (assuming that eth0 is the missing NIC for the FCoE session):

ifconfig eth0 downifconfig eth0 upsleep 5dcbtool sc eth0 dcb onsleep 5dcbtool sc eth0 pfc e:1 a:1 w:1dcbtool sc eth0 app:fcoe e:1 a:1 w:1service fcoe restart

fcoe-target-utils componentUsing targetcli to configure the FCoE Target will fail with the message Could not


45


create RTSRoot in configFS. To prevent this, ensure that the fcoe-target service isrunning by executing service fcoe-target start.

libibverbs componentThe InfiniBand UD transport test utility could become unresponsive when the ibv_ud_pingpong command was used with a packet size of 2048 or greater. UD is limited tono more than the smallest MTU of any point in the path between point A and B, which isbetween 0 and 4096 given that the largest MTU supported (but not the smallest nor required)is 4096. If the underlying Ethernet is jumbo frame capable, and with a 4096 IB MTU on an RoCEdevice, the max packet size that can be used with UD is 4012 bytes.

bind-dyndb-ldap componentIPA creates a new DNS zone in two separate steps. When the new zone is created, it is invalidfor a short period of time. A/AAAA records for the name server belonging to the new zone arecreated after this delay. Sometimes, BIND attempts to load this invalid zone and fails. In such acase, reload BIND by running either rndc reload or service named restart.

selinux-policy componentSELinux can prevent the nmbd service from writing into the /var/, which breaks NetBIOS nameresolution and leads to SELinux AVC denials.

kernel componentIf multiple DHCP6 servers are configured on multiple VLANs, for example two DHCP6 serverson VLAN1 and VLAN3, the bna driver NIC does not set up a VLAN interface but can get theVLAN3 IPv6 address.

kernel componentThe latest version of the sfc NIC driver causes lower UDP and TX performance with largeamounts of fragmented UDP packets. This problem can be avoided by setting a constantinterrupt moderation period (not adaptive moderation) on both sides, sending and receiving.

kernel componentWhen IPv6 is administratively disabled via disable=1 module parameter, all of the IPv6protocol handlers are disabled. This includes any offload handlers that support TSO/GSO. Thelack of handlers results in the host dropping any TSO/GSO IPv6 packets it may receive from theguest. This can cause problems with retransmission on the guest and throughput. If you wantto disable IPV6 support on the host administratively while enabling and providing IPv6 supportto the guest without incurring a performance penalty:

set the disable_ipv6 module to 1

or use the following sysctl entries:

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

kernel componentSome network interface cards (NICs) may not get an IPv4 address assigned after the system isrebooted. To work around this issue, add the following line to the


46

/etc/sysconfig/network-scripts/ifcfg-<interface> file:

LINKDELAY=10

NetworkManager component, BZ#758076If a Certificate Authority (CA) certificate is not selected when configuring an 802.1x or WPA-Enterprise connection, a dialog appears indicating that a missing CA certificate is a securityrisk. This dialog presents two options: ignore the missing CA certificate and proceed with theinsecure connection, or choose a CA certificate. If the user elects to choose a CA certificate,this dialog disappears and the user may select the CA certificate in the original configurationdialog.

samba componentCurrent Samba versions shipped with Red Hat Enterprise Linux 6.4 are not able to fully controlthe user and group database when using the ldapsam_compat back end. This back end wasnever designed to run a production LDAP and Samba environment for a long period of time. Theldapsam_compat back end was created as a tool to ease migration from historical Sambareleases (version 2.2.x) to Samba version 3 and greater using the new ldapsam back end andthe new LDAP schema. The ldapsam_compat back end lack various important LDAPattributes and object classes in order to fully provide full user and group management. Inparticular, it cannot allocate user and group IDs. In the Red Hat Enterprise Linux ReferenceGuide, it is pointed out that this back end is likely to be deprecated in future releases. Refer toSamba's documentation for instructions on how to migrate existing setups to the new LDAPschema.

When you are not able to upgrade to the new LDAP schema (though upgrading is stronglyrecommended and is the preferred solution), you may work around this issue by keeping adedicated machine running an older version of Samba (v2.2.x) for the purpose of user accountmanagement. Alternatively, you can create user accounts with standard LDIF files. Theimportant part is the assignment of user and group IDs. In that case, the old Samba 2.2algorithmic mapping from Windows RIDs to Unix IDs is the following: user RID = UID * 2 + 1000,while for groups it is: group RID = GID * 2 + 1001. With these workarounds, users can continueusing the ldapsam_compat back end with their existing LDAP setup even when all the aboverestrictions apply.

kernel componentBecause Red Hat Enterprise Linux 6.4 defaults to using Strict Reverse Path filtering, packetsare dropped by default when the route for outbound traffic differs from the route of incomingtraffic. This is in line with current recommended practice in RFC3704. For more informationabout this issue please refer to /usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt andhttps://access.redhat.com/site/solutions/53031.

4.7. Clusteringselinux-policy component

The fence-sanlock agent does not support SELinux in Enforcing mode at the moment.


47


https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Reference_Guide/s1-samba-account-info-dbs.html

https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/upgrading-to-3.0.html#oldupdatenotes

https://access.redhat.com/site/solutions/53031

lvm2 component, BZ#814 779Clustered environment is not supported by lvmetad at the moment. If global/use_lvmetad=1 isused together with global/locking_type=3 configuration setting (clustered locking), theuse_lvmetad setting is automatically overriden to 0 and lvmetad is not used in this case at all.Also, the following warning message is displayed:

WARNING: configuration setting use_lvmetad overriden to 0 due to locking_type 3. Clustered environment not supported by lvmetad yet.

luci component, BZ#615898luci will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node has ricci version 0.12.2-14.

4.8. Authenticationipa component, BZ#894 388

The Identity Management installer configures all integrated services to listen on all interfaces.The administrator has no means to instruct the Identity Management installer to listen only onchosen interfaces even though the installer requires a valid interface IP address as oneinstallation parameter. To work around this problem, change service configuration after IdentityManagement installation.

ipa component, BZ#894 378Identity Management LDAP permission manipulation plugin validates subtree and filterpermission specifiers as mutually exclusive even though it is a valid combination in theunderlying LDAP Access Control Instruction (ACI). Permissions with filter and subtree specifierscan be neither created nor modified. This affects for example the Add Automount Keyspermission which cannot be modified.

ipa component, BZ#817080In some cases the certificates tracked by certmonger are not cleared when running the ipa-server-install --uninstall command. This will cause a subsequent re-installation tofail with an unexpected error.

sssd component, BZ#892604The ssh_cache utility sets the DEBUG level after it processes the command-line parameters. Ifthe command-line parameters cannot be processed, the utility prints DEBUG lines that are notsupposed to be printed by default. To avoid this, correct parameters must be used.

sssd component, BZ#89164 7It is possible to specify the enumerate=true value in the sssd.conf file to access all usersin the system. However, using enumerate=true is not recommended in large environmentsas this can lead to high CPU consumption. As a result, operations like login or logout can beslowed down.

ipa component, BZ#888579


48









The Identity Management server processes Kerberos Password Expiration T ime field as a 32-bit integer. If Maximum Lifetime of a user password in Identity Management Password Policy isset to a value causing the resulting Kerberos Password Expiration T ime timestamp to exceed32 bits and to overflow, the passwords that are being changed are configured with an expirationtime that lies in the past and are always rejected. To ensure that new user passwords are validand can be changed properly, do not set password Maximum Lifetime in Identity ManagementPassword Policy to values that would cause the Kerberos Password Expiration T ime timestampto exceed 32 bits; that is, passwords that would expire after 2038-01-19. At the moment,recommended values for the Maximum Lifetime field are numbers lower than 9000 days.

sssd component, BZ#785877When reconnecting to an LDAP server, SSSD does not check it was re-initialized during thedowntime. If the server was re-initialized during the downtime and was filled with completelydifferent data, SSSD does not update its database. As a consequence, the user can get invalidinformation from SSSD. To work around this problem:

1. stop SSSD before reconnecting to the re-initialized server;

2. clear the SSSD caches manually before reconnecting;

3. start SSSD.

krb5 componentIn environments where entropy is scarce, the kadmind tool can take longer to initialize afterstartup than it did in previous releases as it attempts to read data from the /dev/random fileand seed its internal random number generator (RNG). Clients which attempt to connect to the kadmin service can time out and fail with a GSS-API or Kerberos error. After the servicecompletely finishes initializing itself, it will process messages received from now-disconnectedclients and can log clock-skew or decrypt-integrity-check-failed errors for those connections. Towork around this problem, use a service such as rngd to seed the system RNG usinghardware sources of entropy.

ipa component, BZ#887193The Identity Management server in Red Hat Enterprise Linux 6.3 introduced a technical previewof SELinux user mapping feature, which enabled a mapping of SELinux users to users managedby the Identity Management based on custom rules. However, the default configured SELinuxuser (guest_u:s0) used when no custom rule matches is too constraining. An IdentityManagement user authenticating to Red Hat Enterprise Linux 6.4 can be assigned the tooconstraining SELinux user in which case a login through graphical session would always fail. Towork around this problem, change a too constraining default SELinux user in the IdentityManagement server from guest_u:s0 to a more relaxed value unconfined_u:s0-s0:c0.c1023:

kinit adminipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023

An unconfined SELinux user will be now assigned to the Identity Management user by default,which will allow the user to successfully authenticate through graphical interface.

ipa component, BZ#761574When attempting to view a host in the web UI, the following message can appear:


49




Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)

Attempting to delete installed certificates through the web UI or command-line interface can failwith the same error message. To work around this problem, run the following command:

~]# yum downgrade ipa-server libipa_hbac libipa_hbac-python ipa-python ipa-client ipa-admintools ipa-server-selinux

ipa component, BZ#877324After upgrading to Red Hat Identity Manager 2.2, it is not possible to add SSH public keys in theweb UI. However, SSH public keys can be added on the command line by running ipa user-mod <user> --sshpubkey.

sssd component, BZ#880150Rules with sudoUser specified as +netgroup are always matched with the sssd sudoersplugin.

sssd componentWhen the ldap_sasl_authid is not configured in the sssd.conf file, SSSD terminatesunexpectedly with a segmentation fault. To avoid this problem, ensure that the option isconfigured.

ipa componentWhen upgrading the ipa-server package using anaconda , the following error message islogged in the upgrade.log file:

/sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file or directory

This problem does not occur when using yum.

sssd componentIn the Identity Manager subdomain code, a User Principal Name (UPN) is by default built fromthe SAM Account Name and Active Directory trust users, that is user@DOMAIN. The UPN canbe changed to differ from the UPN in Active Directory, however only the default format, user@DOMAIN, is supported.

sssd component, BZ#805921Sometimes, group members may not be visible when running the getent group groupnamecommand. This can be caused by an incorrect ldap_schema in the [domain/DOMAINNAME]section of the sssd.conf file. SSSD supports three LDAP schema types: RFC 2307, RFC2307bis, and IPA. By default, SSSD uses the more common RFC 2307 schema. The differencebetween RFC 2307 and RFC 2307bis is the way which group membership is stored in the LDAPserver. In an RFC 2307 server, group members are stored as the multi-valued memberuidattribute which contains the name of the users that are members. In an RFC2307bis server,group members are stored as the multi-valued attribute member (or sometimes uniqueMember)


50




which contains the DN of the user or group that is a member of this group. RFC2307bis allowsnested groups to be maintained as well.

When encountering this problem:

add ldap_schema = rfc2307bis in the sssd.conf file,

detele the /var/lib/sss/db/cache_DOMAINNAME.ldb file,

and restart SSSD.

If the workaround does not work, add ldap_group_member = uniqueMember in the sssd.conf file, delete the cache file and restart SSSD.

Identity Management component, BZ#826973When Identity Management is installed with its CA certificate signed by an external CA, theinstallation is processed in 2 stages. In the first stage, a CSR is generated to be signed by anexternal CA. The second stage of the installation then accepts a file with the new signedcertificate for the Identity Management CA and a certificate of the external CA. During thesecond stage of the installation, a signed Identity Management CA certificate subject isvalidated. However, there is a bug in the certificate subject validation procedure and its defaultvalue (O=$REALM, where $REALM is the realm of the new Identity Management installation) isnever pulled. Consequently, the second stage of the installation process always fails unless the--subject option is specified. To work around this issue, add the following option for thesecond stage of the installation: --subject "O=$REALM" where $REALM is the realm of thenew Identity Management installation. If a custom subject was used for the first stage of theinstallation, use its value instead. Using this work around, the certificate subject validationprocedure succeeds and the installation continues as expected.

Identity Management component, BZ#822350When a user is migrated from a remote LDAP, the user's entry in the Directory Server does notcontain Kerberos credentials needed for a Kerberos login. When the user visits the passwordmigration page, Kerberos credentials are generated for the user and logging in via Kerberosauthentication works as expected. However, Identity Management does not generate thecredentials correctly when the migrated password does not follow the password policy set onthe Identity Management server. Consequently, when the password migration is done and auser tries to log in via Kerberos authentication, the user is prompted to change the passwordas it does not follow the password policy, but the password change is never successful and theuser is not able to use Kerberos authentication. To work around this issue, an administratorcan reset the password of a migrated user with the ipa passwd command. When reset, user'sKerberos credentials in the Directory Server are properly generated and the user is able to login using Kerberos authentication.

Identity Management componentIn the Identity Management webUI, deleting a DNS record may, under come circumstances,leave it visible on the page showing DNS records. This is only a display issue and does notaffect functionality of DNS records in any way.

Identity Management component, BZ#790513The ipa-client package does not install the policycoreutils package as its dependency, whichmay cause install/uninstall issues when using the ipa-client-install setup script. Towork around this issue, install the policycoreutils package manually:


51




~]# yum install policycoreutils

Identity Management component, BZ#813376Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with atraceback error when executed by a non-root user due to the SASL EXTERNAL bind requiringroot privileges. To work around this issue, run the aforementioned command as the root user.

Identity Management component, BZ#794 882With netgroups, when adding a host as a member that Identity Management does not havestored as a host already, that host is considered to be an external host. This host can becontrolled with netgroups, but Identity Management has no knowledge of it. Currently, there isno way to use the netgroup-find option to search for external hosts.

Also, note that when a host is added to a netgroup as an external host, rather than being addedin Identity Management as an external host, that host is not automatically converted within thenetgroup rule.

Identity Management component, BZ#786629Because a permission does not provide write access to an entry, delegation does not work asexpected. The 389 Directory Server (389-ds) distinguishes access between entries andattributes. For example, an entry can be granted add or delete access, whereas an attribute canbe granted read, search, and write access. To grant write access to an entry, the list of writableattributes needs to be provided. The filter, subtree, and other options are used to targetthose entries which are writable. Attributes define which part(s) of those entries are writable. Asa result, the list of attributes will be writable to members of the permission.

sssd component, BZ#808063The manpage entry for the ldap_disable_paging option in the sssd-ldap man page doesnot indicate that it accepts the boolean values True or False, and defaulting to False if it is notexplicitly specified.

Identity Management component, BZ#812127Identity Management relies on the LDAP schema to know what type of data to expect in a givenattribute. If, in certain situations (such as replication), data that does not meet thoseexpectations is inserted into an attribute, Identity Management will not be able to handle theentry, and LDAP tools have do be used to manually clean up that entry.

Identity Management component, BZ#812122Identity Management sudo commands are not case sensitive. For example, executing thefollowing commands will result in the latter one failing due to the case insensitivity:

~]$ ipa sudocmd-add /usr/bin/X⋮~]$ ipa sudocmd-add /usr/bin/xipa: ERROR: sudo command with name "/usr/bin/x" already exists

Identity Management component


52







When an Identity Management server is installed with a custom hostname that is not resolvable,the ipa-server-install command should add a record to the static hostname lookup tablein /etc/hosts and enable further configuration of Identity Management integrated services.However, a record is not added to /etc/hosts when an IP address is passed as an CLI optionand not interactively. Consequently, Identity Management installation fails because integratedservices that are being configured expect the Identity Management server hostname to beresolvable. To work around this issue, complete one of the following:

Run the ipa-server-install without the --ip-address option and pass the IPaddress interactively.

Add a record to /etc/hosts before the installation is started. The record should containthe Identity Management server IP address and its full hostname (the hosts(5) man pagespecifies the record format).

As a result, the Identity Management server can be installed with a custom hostname that is notresolvable.

sssd componentUpgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the versionshipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library libldb. This failure occurs when the SSSD cache contains internal entries whosedistinguished name contains the \, character sequence. The most likely example of this is foran invalid memberUID entry to appear in an LDAP group of the form:

memberUID: user1,user2

memberUID is a multi-valued attribute and should not have multiple users in the same attribute.

If the upgrade issue occurs, identifiable by the following debug log message:

(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active inldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb

remove the /var/lib/sss/db/cache_<DOMAIN>.ldb file and restart SSSD.

Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file

Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file purges the cache of allentries (including cached credentials).

sssd component, BZ#751314When a group contains certain incorrect multi-valued memberUID values, SSSD fails to sanitizethe values properly. The memberUID value should only contain one username. As a result,SSSD creates incorrect users, using the broken memberUID values as their usernames. This,for example, causes problems during cache indexing.

Identity Management componentTwo Identity Management servers, both with a CA (Certificate Authority) installed, use two


53


replication replication agreements. One is for user, group, host, and other related data. Anotherreplication agreement is established between the CA instances installed on the servers. If theCA replication agreement is broken, the Identity Management data is still shared between thetwo servers, however, because there is no replication agreement between the two CAs, issuinga certificate on one server will cause the other server to not recognize that certificate, and viceversa.

Identity Management componentThe Identity Management (ipa) package cannot be build with a 6ComputeNode subscription.

sssd component, BZ#74 1264Active Directory performs certain LDAP referral-chasing that is incompatible with the referralmechanism included in the openldap libraries. Notably, Active Directory sometimes attempts toreturn a referral on an LDAP bind attempt, which used to cause a hang, and is now denied bythe openldap libraries. As a result, SSSD may suffer from performance issues and occasionalfailures resulting in missing information.

To work around this issue, disable referral-chasing by setting the following parameter in the [domain/DOMAINNAME] section of the /etc/sssd/sssd.conf file:

ldap_referrals = false

4.9. Deviceskernel component

A Linux LIO FCoE target causes the bnx2fc driver to perform sequence level error recoverywhen the target is down. As a consequence, the FCoE session cannot be resumed after theEthernet link is bounced, the bnx2fc kernel module cannot be unloaded and the FCoE sessioncannot be removed when running the fcoeadm -d eth0 command. To avoid these problems,do not use the bnx2fc driver with a Linux FCoE target.

kernel componentWhen using large block size (1MB), the tape driver sometimes returns an EBUSY error. To workaround this problem, use a smaller block size, that is 256KB.

kernel componentOn some of the older Broadcom tg3 devices, the default Maximum Read Request Size (MRRS)value of 512 byte is known to cause lower performance. It is because these devices performdirect memory access (DMA) requests serially. 1500-byte ethernet packet will be broken into 3PCIE read requests using 512 byte MRRS. When using a higher MRRS value, the DMA transfercan be faster as fewer requests will be needed. However, the MRRS value is meant to be tunedby system software and not by the driver. PCIE Base spec 3.0 section 7.8.4 contains animplementation note that illustrates how system software might tune the MRRS for all devices inthe system. As a result, Broadcom modified the tg3 driver to remove the code that sets theMRRS to 4K bytes so that any value selected by system software (BIOS) will be preserved.

kernel component


54


The Brocade BFA Fibre Channel and FCoE driver does not currently support dynamicrecognition of Logical Unit addition or removal using the sg3_utils utilities (for example, the sg_scan command) or similar functionality. Please consult Brocade directly for a Brocadeequivalent of this functionality.

kernel componentiSCSI and FCoE boot support on Broadcom devices is not included in Red Hat Enterprise Linux6.4. These two features, which are provided by the bnx2i and bnx2fc Broadcom drivers,remain a Technology Preview until further notice.

kexec-tools componentStarting with Red Hat Enterprise Linux 6.0 and later, kexec kdump supports dumping core to theBrtfs file system. However, note that because the findfs utility in busybox does not supportBtrfs yet, UUID/LABEL resolving is not functional. Avoid using the UUID/LABEL syntax whendumping core to Btrfs file systems.

trace-cmd componentThe trace-cmd service does start on 64-bit PowerPC and IBM System z systems becausethe sys_enter and sys_exit events do not get enabled on the aforementioned systems.

trace-cmd componenttrace-cmd's subcommand, report, does not work on IBM System z systems. This is due tothe fact that the CONFIG_FTRACE_SYSCALLS parameter is not set on IBM System z systems.

libfprint componentRed Hat Enterprise Linux 6 only has support for the first revision of the UPEK Touchstripfingerprint reader (USB ID 147e:2016). Attempting to use a second revision device may causethe fingerprint reader daemon to crash. The following command returns the version of thedevice being used in an individual machine:

~]$ lsusb -v -d 147e:2016 | grep bcdDevice

kernel componentThe Emulex Fibre Channel/Fibre Channel-over-Ethernet (FCoE) driver in Red Hat EnterpriseLinux 6 does not support DH-CHAP authentication. DH-CHAP authentication provides secureaccess between hosts and mass storage in Fibre-Channel and FCoE SANs in compliance withthe FC-SP specification. Note, however that the Emulex driver (lpfc) does support DH-CHAPauthentication on Red Hat Enterprise Linux 5, from version 5.4. Future Red Hat Enterprise Linux6 releases may include DH-CHAP authentication.

kernel componentThe recommended minimum HBA firmware revision for use with the mpt2sas driver is "Phase 5firmware" (that is, with version number in the form 05.xx.xx.xx). Note that following thisrecommendation is especially important on complex SAS configurations involving multiple SASexpanders.


55

4.10. Kernelkernel component

In Red Hat Enterprise Linux 6.4, irqbalance has been updated to upstream version 1.0.4. Thisversion of irqbalance requires /sys/device/system/cpu/cpu?/node* to exist; however,kernel-2.6.32-358 or earlier does not include support for this sysfs node. To work around thisproblem, use the irqbalance-0.55-35.el6_3 package or earlier.

kernel componentRed Hat Enterprise Linux 6.4 changed the maximum read/write socket memory default value tobe higher, allowing for better performance on some machines. It was observed that if the valuesof ?mem_max are not symmetrical between two machines, the performance can be negativelyaffected. To work around this problem, adjust the value of ?mem_max to be equal across allRed Hat Enterprise Linux systems in the network.

kabi-whitelists componentThe vxfs module might not work properly on Red Hat Enterprise Linux 6.4 because of thebroken radix_tree_gang_lookup_slot symbol. Consult Symantec should you require aworkaround for this issue.

kernel componentEnabling TCP Segmentation Offload (TSO) on TAP interface may cause low throughput whenthe uplink is a high-speed interface. To improve throughput, turn off TSO on the tap interface ofthe virtual machine.

kabi-whitelists component, BZ#871580A patch submitted in Red Hat Enterprise Linux 6.3 broke a kABI symbol. Consequently, thepreviously working Red Hat Enterprise Linux 6.2 Veritas vxfs module did not work on the 6.3kernel; a newer compiled version of the Red Hat Enterprise Linux 6.3 Veritas vxfs module hadto be used. In Red Hat Enterprise Linux 6.4, the kABI issue has been fixed, and the Red HatEnterprise Linux 6.3 Veritas vxfs module works as expected. Refer to Table 4.1, “FunctionalityMatrix” for a summary of what versions of Red Hat Enterprise Linux 6 and vxfs function asexpected.

Table 4 .1. Functionality Matrix

Red Hat Enterprise Linux Version (Kernel Version)

6.2 GA (2.6.32-220.el6)

6.3 GA (2.6.32-279.el6)

6.4 pre-alpha(2.6.32-330.el6)

vxfsModuleVersion

5.1.120.000-SP1PR2

works fails works

5.1.133.000-SP1RP3

- works fail

kernel componentWhen using Chelsio's iSCSI HBAs for an iSCSI root partition, the first boot after install fails. This


56


occurs because Chelsio's iSCSI HBA is not properly detected. To work around this issue, usersmust add the iscsi_firmware parameter to grub's kernel command line. This will signal todracut to boot from the iSCSI HBA.

kernel componentThe installation of Red Hat Enterprise Linux 6.4 i386 may occasionally fail. To work around thisissue, add the following parameter to the kernel command line:

vmalloc=256MB

kernel componentIf a device reports an error, while it is opened (via the open(2) system call), then the device isclosed (via the close(2) system call), and the /dev/disk/by-id link for the device may beremoved. When the problem on the device that caused the error is resolved, the by-id link isnot re-created. To work around this issue, run the following command:

~]# echo 'change' > /sys/class/block/sdX/uevent

kernel componentWhen an HBA that uses the mpt2sas driver is connected to a storage using an SAS switch LSISAS 6160, the driver may become unresponsive during Controller Fail Drive Fail (CFDF) testing.This is due to faulty firmware that is present on the switch. To fix this issue, use a newerversion (14.00.00.00 or later) of firmware for the LSI SAS 6160 switch.

kernel component, BZ#74 5713In some cases, Red Hat Enterprise Linux 6 guests running fully-virtualized under Red HatEnterprise Linux 5 experience a time drift or fail to boot. In other cases, drifting may start aftermigration of the virtual machine to a host with different speed. This is due to limitations in theRed Hat Enterprise Linux 5 Xen hypervisor. To work around this, add the nohpet parameter or,alternatively, the clocksource=jiffies parameter to the kernel command line of the guest. Or,if running under Red Hat Enterprise Linux 5.7 or newer, locate the guest configuration file for theguest and add the hpet=0 parameter in it.

kernel componentOn some systems, Xen full-virt guests may print the following message when booting:

WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing <number>MB of RAM

It is possible to avoid the memory trimming by using the disable_mtrr_trim kernelcommand line option.

kernel componentThe perf record command becomes unresponsive when specifying a tracepoint event anda hardware event at the same time.

kernel component


57


On 64-bit PowerPC, the following command may cause kernel panic:

~]# ./perf record -agT -e sched:sched_switch -F 100 -- sleep 3

kernel componentApplications are increasingly using more than 1024 file descriptors. It is not recommended toincrease the default soft limit of file descriptors because it may break applications that use the select() call. However, it is safe to increase the default hard limit; that way, applicationsrequiring a large amount of file descriptors can increase their soft limit without needing rootprivileges and without any user intervention.

kernel componentIn network only use of Brocade Converged Network Adapters (CNAs), switches that are notproperly configured to work with Brocade FCoE functionality can cause a continuouslinkup/linkdown condition. This causes continuous messages on the host console:

bfa xxxx:xx:xx.x: Base port (WWN = xx:xx:xx:xx:xx:xx:xx:xx) lost fabric connectivity

To work around this issue, unload the Brocade bfa driver.

kernel componentIn Red Hat Enterprise Linux 6, a legacy bug in the PowerEdge Expandable RAID Controller 5(PERC5) which causes the kdump kernel to fail to scan for scsi devices. It is usually triggeredwhen a large amounts of I/O operations are pending on the controller in the first kernel beforeperforming a kdump.

kernel component, BZ#679262In Red Hat Enterprise Linux 6.2 and later, due to security concerns, addresses in /proc/kallsyms and /proc/modules show all zeros when accessed by a non-root user.

kernel componentSuperfluous information is displayed on the console due to a correctable machine check erroroccurring. This information can be safely ignored by the user. Machine check error reportingcan be disabled by using the nomce kernel boot option, which disables machine check errorreporting, or the mce=ignore_ce kernel boot option, which disables correctable machinecheck error reporting.

kernel componentThe order in which PCI devices are scanned may change from one major Red Hat EnterpriseLinux release to another. This may result in device names changing, for example, whenupgrading from Red Hat Enterprise Linux 5 to 6. You must confirm that a device you refer toduring installation, is the intended device.

One way to assure the correctness of device names is to, in some configurations, determinethe mapping from the controller name to the controller's PCI address in the older release, andthen compare this to the mapping in the newer release, to ensure that the device name is asexpected.


58


The following is an example from /var/log/messages:

kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC…kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC

If the device name is incorrect, add the pci=bfsort parameter to the kernel command line, andcheck again.

kernel componentThe minimum firmware version for NIC adapters managed by netxen_nic is 4.0.550. Thisincludes the boot firmware which is flashed in option ROM on the adapter itself.

kernel componentHigh stress on 64-bit IBM POWER series machines prevents kdump from successfullycapturing the vmcore. As a result, the second kernel is not loaded, and the system becomesunresponsive.

kernel componentTriggering kdump to capture a vmcore through the network using the Intel 82575EB ethernetdevice in a 32 bit environment causes the networking driver to not function properly in thekdump kernel, and prevent the vmcore from being captured.

kernel componentMemory Type Range Register (MTRR) setup on some hyperthreaded machines may beincorrect following a suspend/resume cycle. This can cause graphics performance (specifically,scrolling) to slow considerably after a suspend/resume cycle.

To work around this issue, disable and then re-enable the hyperthreaded sibling CPUs aroundsuspend/resume, for example:

#!/bin/sh# Disable hyper-threading processor cores on suspend and hibernate, re-enable# on resume.# This file goes into /etc/pm/sleep.d/

case $1 in hibernate|suspend) echo 0 > /sys/devices/system/cpu/cpu1/online echo 0 > /sys/devices/system/cpu/cpu3/online ;;

thaw|resume) echo 1 > /sys/devices/system/cpu/cpu1/online echo 1 > /sys/devices/system/cpu/cpu3/online ;;esac

kernel component


59

In Red Hat Enterprise Linux 6.2, nmi_watchdog registers with the perf subsystem.Consequently, during boot, the perf subsystem grabs control of the performance counterregisters, blocking OProfile from working. To resolve this, either boot with the nmi_watchdog=0 kernel parameter set, or run the following command to disable it at run time:

echo 0 > /proc/sys/kernel/nmi_watchdog

To re-enable nmi-watchdog, use the following command


kernel component, BZ#603911Due to the way ftrace works when modifying the code during start-up, the NMI watchdogcauses too much noise and ftrace can not find a quiet period to instrument the code.Consequently, machines with more than 512 CPUs will encounter issues with the NMIwatchdog. Such issues will return error messages similar to BUG: NMI Watchdog detected LOCKUP and have either ftrace_modify_code or ipi_handler in the backtrace. To workaround this issue, disable NMI watchdog by setting the nmi_watchdog=0 kernel parameter, orusing the following command at run time:


kernel componentOn 64-bit POWER systems the EHEA NIC driver will fail when attempting to dump a vmcore viaNFS. To work around this issue, utilize other kdump facilities, for example dumping to the localfile system, or dumping over SSH.

kernel component, BZ#587909A BIOS emulated floppy disk might cause the installation or kernel boot process to hang. Toavoid this, disable emulated floppy disk support in the BIOS.

kernel componentThe preferred method to enable nmi_watchdog on 32-bit x86 systems is to use either nmi_watchdog=2 or nmi_watchdog=lapic parameters. The parameter nmi_watchdog=1 isnot supported.

kernel componentThe kernel parameter, pci=noioapicquirk, is required when installing the 32-bit variant ofRed Hat Enterprise Linux 6 on HP xw9300 workstations. Note that the parameter change is notrequired when installing the 64-bit variant.

4.11. Desktopfirefox package

In certain environments, storing personal Firefox configuration files (~/.mozilla/) on an NFSshare, such as when your home directory is on a NFS share, led to Firefox functioning


60



incorrectly, for example, navigation buttons not working as expected, and bookmarks not saving.This update adds a new configuration option, storage.nfs_filesystem, that can be used toresolve this issue. If you experience this issue:

1. Start Firefox.

2. Type about:config into the URL bar and press the Enter key.

3. If prompted with "This might void your warranty!", click the I'll be careful, Ipromise! button.

4. Right-click in the Preference Name list. In the menu that opens, select New →Boolean.

5. Type "storage.nfs_filesystem" (without quotes) for the preference name and then clickthe OK button.

6. Select true for the boolean value and then press the OK button.

Red_Hat_Enterprise_Linux-Release_Notes-6 componentThe link in the RELEASE-NOTES-si-LK.html file (provided by theRed_Hat_Enterprise_Linux-Release_Notes-6-si-LK package) incorrectly points at the Betaonline version of the 6.4 Release Notes. Because the si-LK language is no longer supported,the link should correctly point to the en-US online 6.4 Release Notes located at:https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.4_Release_Notes/index.html.

libwacom componentThe Lenovo X220 Tablet Touchscreen is not supported in the kernel shipped with Red HatEnterprise Linux 6.4.

wacomcpl package, BZ#7694 66The wacomcpl package has been deprecated and has been removed from the package set.The wacomcpl package provided graphical configuration of Wacom tablet settings. Thisfunctionality is now integrated into the GNOME Control Center.

acroread componentRunning a AMD64 system without the sssd-client.i686 package installed, which uses SSSD forgetting information about users, causes acroread to fail to start. To work around this issue,manually install the sssd-client.i686 package.

kernel component, BZ#681257With newer kernels, such as the kernel shipped in Red Hat Enterprise Linux 6.1, Nouveau hascorrected the Transition Minimized Differential Signaling (TMDS) bandwidth limits for pre-G80NVIDIA chipsets. Consequently, the resolution auto-detected by X for some monitors may differfrom that used in Red Hat Enterprise Linux 6.0.

fprintd componentWhen enabled, fingerprint authentication is the default authentication method to unlock aworkstation, even if the fingerprint reader device is not accessible. However, after a 30 secondwait, password authentication will become available.


61

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.4_Release_Notes/index.html



evolution componentEvolution's IMAP backend only refreshes folder contents under the following circumstances:when the user switches into or out of a folder, when the auto-refresh period expires, or whenthe user manually refreshes a folder (that is, using the menu item Folder → Refresh).Consequently, when replying to a message in the Sent folder, the new message does notimmediately appear in the Sent folder. To see the message, force a refresh using one of themethods describe above.

anaconda componentThe clock applet in the GNOME panel has a default location of Boston, USA. Additionallocations are added via the applet's preferences dialog. Additionally, to change the defaultlocation, left-click the applet, hover over the desired location in the Locations section, andclick the Set... button that appears.

xorg-x11-server component, BZ#623169In some multi-monitor configurations (for example, dual monitors with both rotated), the cursorconfinement code produces incorrect results. For example, the cursor may be permitted todisappear off the screen when it should not, or be prevented from entering some areas where itshould be allowed to go. Currently, the only workaround for this issue is to disable monitorrotation.

4.12. Toolscoolkey component, BZ#906537

Personal Identity Verification (PIV) Endpoint Cards which support both CAC and PIV interfacesmight not work with the latest coolkey update; some signature operations like PKINIT can fail.To work around this problem, downgrade coolkey to the version shipped with Red HatEnterprise Linux 6.3.

libreport componentEven if the stored credentials are used , the report-gtk utility can report the following errormessage:

Wrong settings detected for Red Hat Customer Support [..]

To work around this problem, close the dialog window; the Login=<rhn-user> and Password=<rhn-password> credentials in the /etc/libreport/plugins/rhtsupport.conf will be used in the same way they are usedby report-rhtsupport .

For more information, refer to this Knowledge Base article.

vlock componentWhen a user password is used to lock a console with vlock, the console can only be unlockedwith the user password, not the root password. That is, even if the first inserted password isincorrect, and the user is prompted to provide the root password, entering the root passwordfails with an error message.


62



https://access.redhat.com/site/solutions/298383

libreoffice componentLibreoffice contains a number of harmless files used for testing purposes. However, onMicrosoft Windows system, these files can trigger false positive alerts on various anti-virussoftware, such as Microsoft Security Essentials. For example, the alerts can be triggered whenscanning the Red Hat Enterprise Linux 6 ISO file.

gnome-power-manager componentWhen the computer runs on battery, custom brightness level is not remembered and restored ifpower saving features like "dim display when idle" or "reduce backlight brightness when idle"are enabled.

rsyslog componentrsyslog does not reload its configuration after a SIGHUP signal is issued. To reload theconfiguration, the rsyslog daemon needs to be restarted:

~]# service rsyslog restart

parted componentThe parted utility in Red Hat Enterprise Linux 6 cannot handle Extended Address Volumes(EAV) Direct Access Storage Devices (DASD) that have more than 65535 cylinders.Consequently, EAV DASD drives cannot be partitioned using parted, and installation on EAVDASD drives will fail. To work around this issue, complete the installation on a non EAV DASDdrive, then add the EAV device after the installation using the tools provided in the s390-utilspackage.


63

Chapter 5. New Packages

5.1. RHEA-2013:0278 — new packages: dev86 and iaslNew dev86 and iasl packages are now available for Red Hat Enterprise Linux 6.

The dev86 and iasl packages are build dependencies of the qemu-kvm package.

This enhancement update adds the dev86 and iasl packages to the 32-bit x862 Optional channels ofRed Hat Enterprise Linux 6. (BZ#901677, BZ#901678)

All users who require dev86 and iasl are advised to install these new packages.

5.2. RHEA-2013:0484 — new packages: hypervkvpdNew hypervkvpd packages are now available for Red Hat Enterprise Linux 6.

The hypervkvpd packages contain hypervkvpd, the guest Hyper-V Key-Value Pair (KVP) daemon. UsingVMbus, hypervkvpd passes basic information to the host. The information includes guest IP address,fully qualified domain name, operating system name, and operating system release number. An IPinjection functionality is also provided which allows you to change the IP address of a guest from thehost via the hypervkvpd daemon.

This enhancement update adds the hypervkvpd packages to Red Hat Enterprise Linux 6. For moreinformation about inclusion of, and guest installation support for, Microsoft Hyper-V drivers, refer to theRed Hat Enterprise Linux 6.4 Release Notes. (BZ#850674)

All users who require hypervkvpd are advised to install these new packages. After installing thehypervkvpd packages, rebooting all guest machines is recommended, otherwise the Microsoft Windowsserver with Hyper-V might not be able to get information from these guest machines.

5.3. RHEA-2013:0422 — new packages: libjpeg-turboNew libjpeg-turbo packages are now available for Red Hat Enterprise Linux 6.

The libjpeg-turbo packages contain a library of functions for manipulating JPEG images. They alsocontain simple client programs for accessing the libjpeg functions. These packages provide the samefunctionality and API as libjpeg but with better performance.

This enhancement update adds the libjpeg-turbo packages to Red Hat Enterprise Linux 6. (BZ#788687)

All users who require libjpeg-turbo are advised to install these new packages.

5.4. RHEA-2013:0369 — new packages: pcsNew pcs packages are now available for Red Hat Enterprise Linux 6.

The pcs packages provide a command-line tool and graphical web interface to configure and managepacemaker and corosync.

This enhancement update adds the pcs package as a Technology Preview. (BZ#657370)

More information about Red Hat Technology Previews is available here:


64

https://rhn.redhat.com/errata/RHEA-2013-0278.html

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=901677






https://access.redhat.com/support/offerings/techpreview/

All users who want to use the pcs Technology Preview are advised to install these new packages.

5.5. RHEA-2013:0356 — new package: haproxyA new haproxy package is now available for Red Hat Enterprise Linux 6.

The haproxy package provides a reliable, high-performance network load balancer for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needingpersistence or Layer7 processing.

This enhancement update adds the haproxy package to Red Hat Enterprise Linux 6 as a TechnologyPreview. (BZ#846067)

More information about Red Hat Technology Previews is available at


All users who want to use the haproxy Technology Preview should install this newly-released package,which adds this enhancement.

5.6. RHEA-2013:0355 — new package: keepalivedA new keepalived package is now available as a Technology Preview for Red Hat Enterprise Linux 6.

The keepalived package provides simple and robust facilities for load-balancing and high-availability.The load-balancing framework relies on the well-known and widely used Linux Virtual Server kernelmodule providing Layer4 network load-balancing. The keepalived daemon implements a set of healthcheckers to load-balanced server pools according their state. The keepalived daemon also implementsthe Virtual Router Redundancy Protocol (VRRP), allowing router or director failover to achieve highavailability.

This enhancement update adds the keepalived package to Red Hat Enterprise Linux 6 as a TechnologyPreview. (BZ#846064)

More information about Red Hat Technology Previews is available at


All users who want to use the keepalived Technology Preview should install this newly-releasedpackage, which adds this enhancement.

5.7. RHEA-2013:0349 — new packages: linuxptpNew linuxptp packages are now available as a Technology Preview for Red Hat Enterprise Linux 6.

The Linux PTP project is a software implementation of the Precision T ime Protocol (PTP) according toIEEE standard 1588 for Linux. These packages provide a robust implementation of the standard and usethe most relevant and modern Application Programming Interfaces (API) offered by the Linux kernel.Supporting legacy APIs and other platforms is not a goal.

This enhancement update adds the linuxptp packages to Red Hat Enterprise Linux 6 as a Technologypreview. (BZ#848856)


65







More information about Red Hat Technology Previews is available here:


All users who want to use the linuxptp Technology Preview should install these newly-releasedpackages, which add this enhancement.

5.8. RHEA-2013:0342 — new packages: libitmNew libitm packages are now available for Red Hat Enterprise Linux 6.

The libitm packages contain the GNU Transactional Memory runtime library that provides GCCtransactional memory support.

This enhancement update adds the libitm packages to Red Hat Enterprise Linux 6. (BZ#813301)

All users who require libitm are advised to install these new packages.

5.9. RHEA-2013:0341 — new package: scipyNew scipy packages are now available for Red Hat Enterprise Linux 6.

The SciPy package provides software for mathematics, science, and engineering. The NumPy package,which is designed to manipulate large multi-dimensional arrays of arbitrary records, is the core library forSciPy. The SciPy library is built to work with NumPy arrays and provides various efficient numericalroutines, for example routines for numerical integration and optimization.

This enhancement update adds the scipy packages to Red Hat Enterprise Linux 6. (BZ#697530)

All users who require scipy are advised to install these new package.

5.10. RHEA-2013:0340 — new packages: suitesparseNew suitesparse packages are now available for Red Hat Enterprise Linux 6.

The suitesparse packages are a collection of libraries for computations involving sparse matrices.

This enhancement update adds the suitesparse packages to Red Hat Enterprise Linux 6. (BZ#844974)

All users who require suitespare should install these new packages.

5.11. RHEA-2013:0339 — new packages: tbbNew tbb packages are now available for Red Hat Enterprise Linux 6.

The tbb packages contain a C++ runtime library that abstracts the low-level threading details necessaryfor optimal multi-core performance.

This enhancement update adds the tbb packages to Red Hat Enterprise Linux 6. (BZ#844976)

All users who require tbb are advised to install these new packages.

5.12. RHEA-2013:0336 — new package: tunaA new tuna package is now available for Red Hat Enterprise Linux 6.


66










The tuna package provides an interface for changing both scheduler and IRQ tunables, at whole CPU,per-thread or per-IRQ levels. tuna allows CPUs to be isolated for use by a specific application andthreads and interrupts to be moved to a CPU simply by dragging and dropping them.

This enhancement update adds the tuna package to Red Hat Enterprise Linux 6. (BZ#812455)

All users who require tuna should install this new package.

5.13. RHEA-2013:0289 — new package: mtdevA new mtdev package is now available for Red Hat Enterprise Linux 6.

The new mtdev package contains a library that converts kernel input events from multitouch protocol Ainto multitouch protocol B events. Protocol B events provide per-touchpoint tracking which is required bythe xorg-x11-drv-evdev and xorg-x11-drv-synaptics packages.

This enhancement update adds the mtdev package to Red Hat Enterprise Linux 6. (BZ#860177)

All users who require mtdev should install this new package.

5.14. RHEA-2013:0284 — new package: cpupowerutilsNew cpupowerutils packages are now available for Red Hat Enterprise Linux 6.

The cpupowerutils packages provide a suite of tools to manage power states on appropriately enabledcentral processing units (CPU).

This enhancement update adds the cpupowerutils packages to Red Hat Enterprise Linux 6.(BZ#697418)

All users who require cpupowerutils are advised to install these new packages.

5.15. RHEA-2013:0283 — new package: cgdcbxdNew cgdcbxd packages are now available for Red Hat Enterprise Linux 6.

The cgdcbxd packages provide a daemon to manage the priority of network traffic in Data CenterBridging (DCB) enabled environments. By using the information exchanged over the DCB CapabilityExchange Protocol (DCBX) on a LAN, cgdcbxd enforces network priority on running applications on yourhost with the net_prio cgroup.

This enhancement update adds the cgdcbxd packages to Red Hat Enterprise Linux 6. (BZ#835171)

All users who require cgdcbxd are advised to install these new packages.


67


http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=860177



Chapter 6. Updated Packages

6.1. 389-ds-base

6.1.1. RHSA-2013:0503 — Moderate: 389-ds-base security bug fix andenhancement updateUpdated 389-ds-base packages that fix one security issue, a number of bugs, and add variousenhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact.Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, areavailable for each vulnerability from the CVE link(s) associated with each description below.

The 389-ds-base packages provide 389 Directory Server, which is an LDAPv3 compliant server. Thebase packages include the Lightweight Directory Access Protocol (LDAP) server andcommand-line utilities for server administration.

Upgrade to an upstream version

The 389-ds-base packages have been upgraded to upstream version 1.2.11, which provides anumber of bug fixes and enhancements over the previous version. (BZ#800051)

Security Fixes

CVE-2012-4 4 50A flaw was found in the way 389 Directory Server enforced ACLs after performing an LDAPmodify relative distinguished name (modrdn) operation. After modrdn was used to move part ofa tree, the ACLs defined on the moved (Distinguished Name) were not properly enforced untilthe server was restarted. This could allow LDAP users to access information that should berestricted by the defined ACLs.

This issue was discovered by Noriko Hosoi of Red Hat.

Bug Fixes

BZ#74 2054Previously, 389 Directory Server did not support the Simple Authentication and SecurityLayer (SASL) PLAIN mechanism. This mechanism has been added to the list of supported SASLmechanisms.

BZ#74 2381Due to certain changes under the cn=config suffix, when an attribute value was deleted andthen added back in the same modify operation, error 53 was returned. Consequently, theconfiguration could not be reset. This update allows delete operations to succeed if theattribute is added back in the same modify operation and reset the configuration file asexpected.


68

https://rhn.redhat.com/errata/RHSA-2013-0503.html


https://access.redhat.com/security/cve/CVE-2012-4450


BZ#757836Previously, the logconv.pl script used a connection number equal to 0 (conn=0) as arestart point, which caused the script to return incorrect restart statistics. The underlyingsource code has been modified and 389 Directory Server is now configured to useconnection number equal to 1 (conn=1) as the restart point.

BZ#803873The Windows Sync feature uses the name in a search filter to perform an internal search tofind an entry. Parentheses, “(” and “)” are special characters in the LDAP protocol and thereforemust be escaped. However, an attempt to synchronize an entry containing parentheses in thename from an Active Directory (AD) server failed with an error. With this update, 389 DirectoryServer properly escapes the parentheses and synchronization now proceeds correctly asexpected.

BZ#818762When having an entry in a directory server (DS) with the same user name, group name, or bothas an entry in AD and simultaneously the entry in AD was out of scope of the Windows Syncfeature, the DS entry was deleted. This update adds the new winSyncMoveAction DSattribute for the Windows Sync agreement entry, which allows the user to specify the behaviorof out-of-scope AD entries. The value could be set to:

none, which means that an out-of-scope AD entry does nothing to the corresponding DSentry;

delete, which means that an out-of-scope AD entry deletes the corresponding DS entry;

unsync, which means that an out-of-scope AD entry is unsynchronized with thecorresponding DS entry and changes made to either entry are not synchronized.

By default, the value is set to none, which fixes this bug.

BZ#830334Due to an incorrect interpretation of an error code, a directory server considered an invalidchaining configuration setting as the disk full error and shut down unexpectedly. This bughas been fixed by using the correct error code and a directory server now no longer terminatesdue to an invalid chaining of a configuration setting.

BZ#830335Previously, restoring an ldif file from a replica, which had older changes that other serversdid not see yet, could lead to these updates not being replicated to other replicas. With thisupdate, 389 Directory Server checks the Change Sequence Numbers (CSNs) and allows theolder updates to be replicated. As a result, all replicas remain synchronized.

BZ#830336When a directory server was under a heavy read and write load, and an update request wasprocessed, the following error message or other similar DB_LOCK_DEADLOCK error messagesappeared in the error log:

entryrdn-index - _entryrdn_put_data: Adding the parent link (XXX) failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)


69






These errors are common under these circumstances and there is no need to report them inthe error log. With this update, 389 Directory Server ensures that these errors arehandled properly and no longer logs these messages in the error log.

BZ#830337When a directory server was configured to use multi-master replication and the Entry USNplug-in, the delete operation was not replicated to the other masters. This update modifies the Entry USN plug-in to prevent it from changing the delete operation into a delete tombstoneoperation, and from removing the operation before it logs into the change log to replay to otherservers. As a result, the delete operation is replicated to all servers as expected.

BZ#830338Previously, 389 Directory Server did not refresh its Kerberos cache. Consequently, if a newKerberos ticket was issued for a host that had already authenticated against a directory server,it would be rejected by this server until it was restarted. With this update, the Kerberos cache isflushed after an authentication failure and 389 Directory Server works as expected in thedescribed scenario.

BZ#83034 3Using the Managed Entry plug-in in conjunction with other plug-ins, such as Distributed Numeric Assignment (DNA), Member of, and Auto Member, led to problems with deleteoperations on entries that managed the Managed Entry plug-in. The manager entry wasdeleted, but the managed entry was not. The deadlock retry handling has been improved sothat both entries are deleted during the same database operation.

BZ#83034 4Previously, replication errors logged in the error log could contain incorrect information. With thisupdate, the replication errors have been modified to be more useful in diagnosing and fixingproblems.

BZ#83034 6When audit logging in a directory server was enabled, LDAP ADD operations were ignored andwere not logged. This update removes a regression in the audit log code that caused the ADDoperation to be ignored, and LDAP ADD operations are now logged to the audit log as expected.

BZ#83034 8389 Directory Server with a large number of replication agreements took a considerableamount of time to shut down due to a long sleep interval coded in the replication stop code.This sleep interval has been reduced to speed up the system termination.

BZ#83034 9Previously, in a SASL map definition, using a compound search filter that included the “&”character failed because the “&” character was escaped. The underlying source code has beenmodified and searching with a filter that includes the “&” character works as expected.

BZ#830353When 389 Directory Server used the Managed Entry plug-in or the DNA plug-in, the


70









valgrind tool reported memory errors and leaks. With this update, a patch has been appliedto prevent these problems, and memory is now used and deleted correctly.

BZ#832560When replication was configured and a conflict occurred, under certain circumstances, an errorcheck did not reveal this conflict, because a to-be-deleted attribute was already deleted byanother master. Consequently, the conflict terminated the server. This update improves errorchecks to prevent replication conflicts from crashing the server.

BZ#833202Previously, internal entries that were in the cache were freed when retrying failed transactionsdue to a deadlock. This behavior caused problems in a directory server and this server couldterminate under a heavy update load. With this update, the cached internal entries are no longerfreed and directory servers do not crash in the described scenario.

BZ#833218Due to improper deadlock handling, the database reported an error instead of retrying thetransaction. Consequently, under a heavy load, the directory server got deadlock errors whenattempting to write to the database. The deadlock handling has been fixed and 389 DirectoryServer works as expected in such a case.

BZ#834 04 7Internal access control prohibited deleting newly added or modified passwords. This updateallows the user to delete any password if they have the modify rights.

BZ#834 054Certain operations, other than LDAP Modify operations, can cause the 389 DirectoryServer to modify internal attributes. For example, a BIND operation can cause updates topassword failure counters. In these cases, 389 Directory Server was updating attributes thatcould only be updated during an explicit LDAP Modify operation, such as the modifyTimestamp attribute. This update adds a new internal flag to skip the update of theseattributes on other than Modify operations.

BZ#834 056Due to an invalid configuration setup in the Auto Memmber plug-in, the directory serverbecame unresponsive under certain circumstances. With this update, the configuration file isvalidated, invalid configurations are not allowed, and the server no longer hangs.

BZ#834 057When using SNMP monitoring, 389 Directory Server terminated at startup due to multiple ldap servers listed in the ldap-agent.conf file. With this update, the buffer between ldapservers no longer resets and 389 Directory Server starts up regardless of the number of ldap servers listed in the configuration file.

BZ#834 064Previously, the dnaNextValue counter was incremented in the pre-operation stage.Consequently, if the operation failed, the counter was still incremented. This bug has been fixed


71









and the dnaNextValue counter is not incremented if the operation fails.

BZ#834 065When a replication agreement was added without the LDAP BIND credentials, the replicationprocess failed with a number of errors. With this update, 389 Directory Server validates thereplication configuration and ensures that all needed credentials are supplied. As a result, 389Directory Server rejects invalid replication configuration before attempting to replicate withinvalid credentials.

BZ#834 075Previously, the logconv.pl script did not grab the correct search base, and as aconsequence, the searching statistics were invalid. A new hash has been created to storeconnections and operation numbers from search operations. As a result, logconv.pl nowgrabs the correct search base and no longer produces incorrect statistics.

BZ#838706When using the Referential Integrity plug-in, renaming a user DN did not rename theuser's DN in the user's groups, unless that case matched exactly. With this update, case-insensitive comparisons or DN normalizations are performed, so that the member attributes areupdated when the user is renamed.

BZ#84 0153Previously, the Attribute Uniqueness plug-in did comparisons of un-normalized values.Consequently, using this plug-in and performing the LDAP RENAME operation on an entrycontaining one of the attributes which were tested for uniqueness by this plug-in caused the LDAP RENAME operation to fail with the following error:

Constraint Violation - Another entry with the same attribute value already exists.

With this update, Attribute Uniqueness ensures that comparisons are performed betweenvalues which were normalized the same way, and LDAP RENAME works as expected in thissituation.

BZ#84 1600When the Referential Integrity plug-in was used with a delay time greater than 0, andthe LDAP RENAME operation was performed on a user entry with DN specified by one or more group entries under the scope of the Referential Integrity plug-in, the user entry DNin the group entries did not change. The underlying source code has been modified and LDAP RENAME operations work as expected in the described scenario.

BZ#84 24 37Previously, the DNA plug-in could leak memory in certain cases for certain MODIFY operations.This update applies a patch to fix this bug and the modifications are freed as expected with nomemory leaks.

BZ#84 24 38


72








To improve the performance, the entry cache size is supposed to be larger then the primarydatabase size if possible. Previously, 389 Directory Server did not alert the user that the sizeof the entry cache was too small. Consequently, the user could not notice that the size of theentry cache was too small and that they should enlarge it. With this update, the configured entrycache size and the primary database size are examined, and if the entry cache is too small, awarning is logged in the error log.

BZ#84 24 4 0Previously, the Memberof plug-in code executed redundant DN normalizations and thereforeslowed down the system. The underlying source code has been modified to eliminateredundant DN normalizations.

BZ#84 24 4 1Previously, the directory server could disallow changes that were made to the nsds5ReplicaStripAttrs attribute using the ldapmodify operation. Consequently, theattribute could only be set manually in the dse.ldif file when the server was shut down. Withthis update, the user is now able to set the nsds5ReplicaStripAttrs attribute using the ldapmodify operation.

BZ#850683Previously, 389 Directory Server did not check attribute values for the nsds5ReplicaEnabled feature which caused this feature to be disabled. With this update,389 Directory Server checks if the attribute value for nsds5ReplicaEnabled is valid andreports an error if it is not.

BZ#852088When multi-master replication or database chaining was used with the TLS/SSL protocol, aserver using client certificate-based authentication was unable to connect and connectionerrors appeared in the error log. With this update, the internal TLS/SSL and certificate setup isperformed correctly and communication between servers works as expected.

BZ#852202Previously, there was a race condition in the replication code. When two or more suppliers wereattempting to update a heavily loaded consumer at the same time, the consumer could, undercertain circumstances, switch to total update mode, erase the database, and abort replicationwith an error. The underlying source code has been modified to prevent the race condition. As aresult, the connection is now protected against access from multiple threads and multiplesuppliers.

BZ#852839Due to the use of an uninitialized variable, a heavily loaded server processing multiplesimultaneous delete operations could terminate unexpectedly under certain circumstances.This update provides a patch that initializes the variable properly and the directory server nolonger crashes under these circumstances.

BZ#8554 38Due to an incorrect attempt to send the cleanallruv task to the Windows WinSync


73








replication agreements, the task became unresponsive. With this update, the WinSyncreplication agreements are ignored and the cleanallruv task no longer hangs in thedescribed scenario.

BZ#856657Previously, the dirsrv init script always returned 0, even when one or all the definedinstances failed to start. This update applies a patch that improves the underlying source codeand dirsrv no longer returns 0 if any of the defined instances failed.

BZ#858580The schema reload task reloads schema files in the schema directory. Simultaneously, Directory server has several internal schemas which are not stored in the schemadirectory. These schemas were lost after the schema reload task was executed. Consequently,adding a posixAccount class failed. With this update, the internal schemas are stashed in ahash table and reloaded with external schemas. As result, adding a posixAccount issuccessful.

BZ#863576When abandoning a Simple Paged Result request, 389 Directory Server tried to acquire aconnection lock twice, and because the connection lock is not self reentrant, 389 DirectoryServer was waiting for the lock forever and stopped the server. This update provides a patchthat eliminates the second lock and 389 Directory Server works as expected in the describedscenario.

BZ#864 594Previously, Anonymous Resource Limits applied to the Directory Manager. However, theDirectory Manager should never have any limits. With this update, Anonymous Resource Limitsno longer apply to Directory Manager.

BZ#86884 1Even if an entry in AD did not contain all the required attributes for the POSIX account entry, theentry was synchronized to the DS as a POSIX entry. Consequently, the synchronization faileddue to a “missing attribute” error. With this update, if an entry does not have all the requiredattributes, the POSIX account related attributes are dropped and the entry is synchronized asan ordinary entry. As a result, the synchronization is successful.

BZ#868853When enabling replication level logging, the Windows Sync feature prints out what version ofWindows or AD it detects. Previously, if the feature detected Windows Server 2003 or later, itprinted out the following message:

detected win2k3 peer

This message could be confusing for users who had a later version of Windows, such asWindows Server 2008. This update modifies the message and now the following message isprinted out:

detected win2k3 or later peer


74





BZ#870158When a directory server was under a heavy load, deleting entries using the Entry USN featurecaused tombstone entry indexes to be processed incorrectly. Consequently, the server couldbecome unresponsive. This update fixes 389 Directory Server to process tombstoneindexes correctly, so that the server no longer hangs in this situation.

BZ#870162Previously, the abandon request checked if the operation to abandon existed. When a searchoperation was already finished and an operation object had been released, a Simple PageResults request could fail due to this check. This update modifies 389 Directory Server toskip operation existence checking, so that Simple Paged Results requests are alwayssuccessfully aborted.

BZ#875862Previously, the DNA plug-in attempted to dereference a NULL pointer value for the dnaMagicRegen attribute. Consequently, if DNA was enabled with no dnamagicregen valuespecified in its configuration and an entry with an attribute that triggered the DNA valuegeneration was added, the server could terminate unexpectedly. This update improves the 389Directory Server to check for an empty dnamagicregen value before it attempts todereference this value. As a result, 389 Directory Server no longer crashes if no dnamagicregen attribute is specified.

BZ#876694Previously, the code to check if a new superior entry existed, returned the “No such object”error only when the operation was requested by the directory manager. Consequently, if anordinary non-root user attempted to use the modrdn operation to move an entry to a non-existing parent, the server terminated unexpectedly. This update provides a patch that removesthe operator condition so that the check returns the “No such object” error even if the requesteris an ordinary user, and the modrdn operation performed to the non-existing parentsuccessfully fails for any user.

BZ#876727aIf a filter contained a range search, the search retrieved one ID per one idl_fetch attributeand merged it to the ID list using the idl_union() function. This process is slow, especiallywhen the range search result size is large. With this update, 389 Directory Server switchesto ALLID mode by using the nsslapd-rangelookthroughlimit switch instead of creatinga complete ID list. As a result, the range search takes less time.

BZ#889083Previously, if an entry was added or created without plug-in interference, the nsslapd-plugin-track-binddn feature filled the value of the internalModifiersname and internalCreatorsname attributes with the original bind DN instead of the name of theactual plug-in that modified or added the entry. This behavior is undesired; thus the nsslapd-plugin-track-binddn has been modified to always show the name of the actual plug-inthat performed these operations.

BZ#891930


75







In previous versions of the 389-ds-base packages, an attempt to add a new entry to the DNAplug-in when the range of values was depleted caused the following error message to bereturned:

ipa: ERROR: Operations error: Allocation of a new value for range cn=posixids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!Unable to proceed.

This message was missing all additional information in recent versions of the 389-ds-basepackages. With this update, a patch is applied to provide the returned error message withadditional information.

BZ#896256Previously, an upgrade of the 389-ds-base packages affected configuration files. Consequently,custom configuration files were reverted to by default. This update provides a patch to ensurethat custom changes in configuration files are preserved during the upgrade process.

Enhancements

BZ#74 664 2This update allows the PAM Pass-through plug-in to pass through the authenticationprocess to different PAM stacks, based on domain membership or some property of the userentry, or both. Users now can login to Red Hat Directory Server using the credentials andaccount data from the correct AD server.

BZ#768084This enhancement improves the automember plug-in to check existing entries and writes outthe changes which occur if these entries are added.

BZ#782975Previously, certain BINDs could cause only entries with the modifiersname or modifystimestamp attribute to be updated. This behavior led to unnecessary replicationtraffic. This enhancement introduces the new replication feature to decrease replicationtraffic caused by BINDs.

BZ#830331This enhancement adds the new Disk Monitoring plug-in. When disk partitions fill up, Disk Monitoring returns a warning.

BZ#83034 0Previously, two tasks were needed to be performed to clean an entire replication environment,the clean task and the release task. With this update, these tasks are incorporated in the Cleanallruv feature.

BZ#83034 7Previously, the Paged Results search was allowed to perform only one request perconnection. If the user used one connection, multiple Paged Results requests were not


76








supported. This update adds support for multiple Paged Results requests.

BZ#830355With this enhancement, obsolete elements in the Database Replica Update Vector (RUV) canbe removed with the CLEANRUV operation, which removes them on a single supplier or master.

BZ#833222This enhancement improves the memberOf plug-in to work across multiple back ends orsuffixes.

BZ#834 04 6With this update, the Directory Server schema has been updated with the nsTLS1attribute to make TLS/SSL configuration easier.

BZ#834 04 9With this update, the Directory Server schema has been updated to include the DNA plug-in attributes.

BZ#834 052This enhancement improves the Access Control feature to control the Directory Manageraccount.

BZ#834 053This enhancement adds the ability to execute internal modification operations without changingthe operational modifiersname attribute.

BZ#834 058With this update, the logconv.pl script has been enhanced with the getopts() function.

BZ#834 060Previously, the password lockout process was triggered not when maximum the number of trieswas reached, but the time after. This behavior was not consistent with other vendors' LDAPservers. This enhancement adds the new option which allows users to specify the behavior ofpassword lockout.

BZ#834 061Previously, DS did not include the SO_KEEPALIVE settings and connections could not beclosed properly. This enhancement implements the SO_KEEPALIVE settings to the DSconnections.

BZ#834 063With this update, the new passwordTrackUpdateTime attribute has been added. Thisattribute records a timestamp when the password was last changed.


77











BZ#834 074This enhancement adds the new nsds5ReplicaEnabled attribute to the replicationagreement. If the replication agreement is disabled, it appears to be removed, but can be easilyre-enabled and resumed.

BZ#84 7868Previously, the Windows Sync plug-in did not support the RFC 2307 and 2307bis types ofPOSIX schema which supports Windows Active Directory (AD). Under these circumstances,users had to synchronize data between AD and DS manually which could return errors. Thisenhancement changes the POSIX attributes to prevent these consequences.

Note

Note, that for the initial release, when adding new user and group entries to the DS, thePOSIX attributes are not synchronized with AD. Adding new user and group entries toAD synchronizes to DS, and modifying attributes synchronizes both ways.

BZ#852087This enhancement improves the Directory Server schema to allow setting up an accesscontrol for the nsslapd-readonly attribute.

All users of 389-ds-base are advised to upgrade to these updated packages, which correct this issueand provide numerous bug fixes and enhancements. After installing this update, the 389 server servicewill be restarted automatically.

6.2. abrt, libreport and btparser

6.2.1. RHBA-2013:0290 — abrt, libreport and btparser bug fix and enhancementupdateUpdated abrt, libreport and btparser packages that fix multiple bugs and add various enhancements arenow available for Red Hat Enterprise Linux 6.

ABRT is a tool to help users to detect defects in applications and to create a problem report with all theinformation needed by a maintainer to fix it. ABRT uses a plug-in system to extend its functionality.

The libreport libraries provide an API for reporting different problems in applications to different bugtargets like Bugzilla, ftp, and trac.

The btparser utility is a backtrace parser and analyzer library, which works with backtraces producedby the GNU Project Debugger. It can parse a text file with a backtrace to a tree of C structures, allowingto analyze the threads and frames of the backtrace and process them.


78




https://rhn.redhat.com/errata/RHBA-2013-0290.html


The btparser packages have been upgraded to upstream version 0.17, which provides a numberof bug fixes and enhancements over the previous version. (BZ#846667)

Bug Fixes

BZ#799909When the user attempted to remove a non-existing problem directory using the abrt-cli utility,abrt-cli emitted a confusing error message, such as in the following example:

# abrt-cli rm sdfsdf'sdfsdf' does not existCan't connect to '/var/run/abrt/abrt.socket': Connection refused

With this update, abrt-cli has been modified to display only a message informing that such aproblem directory does not exist.

BZ#808721, BZ#814 594When multiple kernel oopses occur in a short period of time, ABRT saves only the first oopsbecause the later oopses are mostly only consequences of the first problem. However, ABRTsorted the processed oopses incorrectly so that the last oops that occurred was saved insteadof the first oops. With this update, ABRT has been modified to process multiple kernel oopsesin the correct order so that ABRT now saves the first oops as expected.

BZ#810309Due to incorrect configuration, ABRT attempted to use the abrt-bodhi command, which is notavailable in Red Hat Enterprise Linux, while analyzing a backtrace. As a consequence, the usercould see the following error message in the problem backtrace:

/bin/sh: line 6: abrt-bodhi: command not found

However, the error message had no influence on the problem reporting process. This updatecorrects the ABRT configuration so that the abrt-bodhi command is removed from the analyzerevents and the error message no longer occurs.

BZ#811901Previously, ABRT expected the dbus-send command to be always present on a system.However, ABRT does not depend on the related dbus package so there is no guarantee thatthe command is installed on the system. Therefore, when processing events that use the dbus-send command and the dbus package was not installed, ABRT emitted the following errormessage to the system log:

abrtd: /bin/sh: dbus-send: command not found

With this update, ABRT has been modified to verify the existence of dbus-send beforeattempting to call this command. The aforementioned error messages no longer occur in thesystem log.


79





BZ#813283Previously, when running the report-gtk command with a non-existing problem directory, ABRTGUI attempted to process the problem directory. As a consequence, the terminal was floodedwith GTK error messages. With this update, the ABRT GUI has been modified to no longerprocess non-existing problem directories. GUI now only prints a message informing that theprocessed directory does not exist and exits gracefully.

BZ#817051The report tool always had to be executed from a problem directory even to perform actionswhich do not require the problem directory, such as adding an attachment to the existing bugreport. When running from a directory that was not a problem directory, the report tool failed withthe following error message:

'.' is not a problem directory

With this update, the report tool has been modified to not require a problem directory if the "-t"option is specified. The report tool can now be used to update existing bug reports without aneed to run inside a problem directory.

BZ#815339, BZ#828673Due to an error in the default libreport configuration, ABRT attempted to run the reporter-bugzilla command, which is not installed by default. This caused the following warning messageto appear during problem reporting:

/bin/sh: line 4: reporter-bugzilla: command not found

However, the reporting process was not affected by this warning message. With this update,the default configuration of libreport has been corrected and reporter-bugzilla is no longercalled by ABRT in the default configuration. The aforementioned warning message is no longerdisplayed during the reporting process.

BZ#8204 75Previously, the abrt-ccpp init script did not emit any status message so that the service abrt-ccpp status command did not display any output. This update corrects the abrt-ccpp init scriptso that if the abrt-ccpp service is running the "abrt-ccpp hook is installed" message isdisplayed. If abrt-ccpp is stopped, the "abrt-ccpp hook is not installed" message appears.

BZ#82674 5Certain ABRT libraries were previously built with wrong linker parameters and when runningprelink on these libraries, the process returned error messages that the library contains"undefined non-weak symbols". With this update, the related makefiles have been correctedand the aforementioned errors no longer occur during prelink phase.

BZ#826924ABRT ran the sosreport utility whenever a problem was detected. However, if the detectedproblem was caused by sosreport, ABRT could run sosreport in an infinite loop. Consequently,abrtd became unresponsive with extensive consumption of system resources. This updatemodifies ABRT to ignore consequent crashes in the same component that occur within a 20-second time period. The abrtd daemon no longer hangs if sosreport crashes.


80




BZ#84 7227ABRT previously moved captured vmcore files from the default location in the /var/crash/directory to the /var/spool/abrt/ directory. This affected the functioning of various tools thatexpected a vmcore file to be present in the /var/crash/ directory. This update modifies ABRT touse the CopyVMcore configuration option to specify whether to copy or move the core file. Bydefault, ABRT no longer moves vmcore from the /var/crash/ directory but copies it.

BZ#84 7291When disk space usage of the /var/spool/abrt/ directory reaches the specified disk spacequota, ABRT finds and removes the largest problem directory. However, ABRT was previouslyunable to handle situations when the largest directory in /var/spool/abrt/ was not a problemdirectory. ABRT could not remove this directory and entered an infinite loop while searching forthe largest directory to be removed. This update modifies ABRT to exclude unknown directorieswhen determining which problem directory needs to be removed. The abrtd daemon no longerhangs in this scenario.

BZ#856960When configured for centralized crash collection, ABRT previously printed logging credentials inplain text into the /var/log/messages log file on a dedicated system while uploading a crashreport. This was a security risk, and so ABRT has been modified to no longer print the libreport-plugin-reportuploader plug-in credentials in log messages.

BZ#873815When processing a large amount of problems, the inotify handling code could become out ofsync, causing abrtd to be unable to read inotify events. Eventually, abrtd became unresponsivewhile trying to read an inotify event. If this happened and a Python application attempted tocommunicate with ABRT, abrtd and the Python application entered a deadlock situation. Thedaemon was busy trying to read an incoming inotify event and the Python script was waiting fora response from abrtd, which caused the application to become unresponsive as well. With thisupdate, the ABRT exception handler sets timeout on a socket used for communication betweenabrtd and Python scripts, and also the inotify handling code has been modified. The abrtddaemon and Python applications no longer hang, however under heavy load, the inotify handlingcode can still become out of sync, which would cause abrtd to stop accepting new problems. Ifabrtd stops accepting new problems, it has to be restarted to work correctly again.

All users of abrt, libreport and btparser are advised to upgrade to these updated packages, which fixthese bugs and add these enhancements.

6.3. alsa-utils

6.3.1. RHBA-2013:0318 — alsa-utils bug fix and enhancement updateUpdated alsa-utils packages that fix numerous bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The alsa-utils package contains command line utilities for the Advanced Linux Sound Architecture(ALSA).


81







The alsa-utils package has been upgraded to upstream version 1.0.22, which provides a numberof bug fixes and enhancements over the previous version. (BZ#838951)

Enhancement

BZ#814 832The alsa-utils package has been enhanced to work better with the GNOME volume controlapplet and sound preferences user interface.

Users of alsa-utils are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.4. amanda

6.4.1. RHBA-2013:0427 — amanda bug fix updateUpdated amanda packages that fix one bug are now available for Red Hat Enterprise Linux 6.

AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that allows theadministrator of a LAN to set up a single master backup server to back up multiple hosts to one or moretape drives or disk files.

Bug Fix

BZ#752096Previously, the amandad daemon, which is required for successful running of AMANDA, waslocated in the amanda-client package; however, this package was not required duringinstallation of the amanda-server package. Consequently, AMANDA did not work properly. Theamanda-client package has been added to the amanda-server dependencies and AMANDAworks correctly now.

All AMANDA users are advised to upgrade to these updated packages, which fix this bug.

6.5. anaconda

6.5.1. RHBA-2013:0373 — anaconda bug fix and enhancement updateUpdated anaconda packages that fix numerous bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The anaconda packages contain portions of the Anaconda installation program that can be run by theuser for reconfiguration and advanced installation options.

Bug fixes

BZ#803883Due to a bug in the multipath output parsing code, when installing Red Hat Enterprise Linux 6


82




on an IBM Power system with JBOD (Joined Body Of Disks — more than one hard driveattached to the same SAS controller), Anaconda could detect these multiple hard drives as amultipath device. This in turn caused the partitioning of the hard drive to fail, causing theinstallation of the system to fail as well. This update fixes the parsing code and the system isinstalled correctly.

BZ#84 874 1The Anaconda installer did not wait for BIOS storage devices to initialize when booted with the ks:bd:<bios disk>:/ks.cfg command-line option. As a consequence, BIOS storagedevices could not be found and the installation could fail. To fix this bug, a delay algorithm forBIOS devices has been added to the code path used when booting with ks:bd:<bios disk>:/ks.cfg. As a result, Anaconda tries to wait for BIOS devices to initialize.

BZ#828650The file system migration from ext2 to ext3 did not work because Anaconda did not modify the /etc/fstab file with the new ext3 file system type. Consequently, after the installation, the filesystem was mounted as an ext2 file system. With this update, Anaconda properly sets themigrated file system type in /etc/fstab. Thus, the file system is mounted as expected afterinstallation.

BZ#886150When installing Red Hat Enterprise Linux 6.4 Beta using the kickstart file, which included thepartition scheme, LVM incorrectly removed the dashes from Logical Volume and Volume Groupnames. This caused the names to be malformed. This update fixes the aforementioned functionto correctly format Logical Volume and Volume Group names during the installation process.

BZ#8194 86Using IPv6 to install Red Hat Enterprise Linux 6.3 (both Alpha and Beta) on a z/VM guestenabled the user to SSH to the system and proceed with the language selection screen.However, after this step, the installation stopped and the SSH session was closed. With thisupdate, the IPv6 installation on a z/VM guest is successful on Red Hat Enterprise Linux 6.4.

BZ#824 963A kickstart installation on unsupported hardware resulted in a dialog box asking for confirmationbefore proceeding with the installation process. As a consequence, it was not possible toperform a kickstart installation on unsupported hardware without any user input. To fix this bug,a new unsupported_hardware kickstart command has been added, which skips theinteractive dialog warning when installing a system on unsupported hardware without userinput.

BZ#811197When a /boot partition was on a RAID device, inconsistent messages were returned becauseit was not supported to have this partition on such a device. These varied messages wereconfusing. To fix this bug, the error messages have been corrected to make sense and to notduplicate each other.

BZ#834 689


83

Kernel modules containing Microsoft paravirtualized drivers were missing in the installationenvironment. To fix this bug, kernel modules with Microsoft PV have been added to theinstallation environment. As a result, better support for Microsoft virtualization is provided.

BZ#837835Modules with VMware PV drivers were not included in the installation environment. This updateadds the modules with VMware PV drivers to provide better virtualization support.

BZ#80964 1The udev device manager was not used to resolve kickstart raid --onpart disk references.As a consequence, the /dev/disk/by-id/ path could not be used properly. With this update,the udev_resolve_devspec() function is used to resolve the --onpart command option.As a result, the raid --onpart command can now use the /dev/disk/by-id/ paths asexpected.

BZ#80964 0The Anaconda installer did not use the udev device manager to resolve /dev/disk/by-id/names. This meant the kickstart installation method did not work with /dev/disk/by-id/names. To fix this bug, Anaconda is now using udev to resolve /dev/disk/by-id/ names.As a result, kickstart installations using /dev/disk/by-id/ names work as expected.

BZ#804 557When installing a system using the text mode on a machine which already had Red HatEnterprise Linux installed on it, a traceback error occurred when the Back button was used togo back from any dialog after the time zone dialog. With this update, disks are rescanned whenmoving back through the upgrade dialog, thus preventing this bug.

BZ#84 0723The Anaconda installer called the modprobe tool without the -b argument that enabledblacklists. Consequently, modules were not blacklisted. To fix this bug, the required argumenthas been added to modprobe call. As a result, modules are blacklisted as expected.

BZ#85124 9The Anaconda installer appended the boot= parameter on the command line whenever the fips=1 parameter was used. With this update, Anaconda appends the boot= parameter onlywhen the fips=1 parameter is used and /boot is on a separate partition.

BZ#828029This update fixes a typographical error in Korean version of a warning message used to alertusers of a root password that is too simple.

BZ#681224The Anaconda installer did not verify package checksums against the checksum in therepository metadata. A package which did not match the repo metadata checksum could beinstalled by the Yum utility. As a consequence, an incorrect package could be installed with noerrors returned. This update adds verification of the package checksum against the checksumin the repository metadata.


84

in the repository metadata.

BZ#656315IPv6 configuration options of the installer's text UI (user interface) were using descriptionssuggesting misleading meaning. Consequently, the description could mislead the users withDHCPv6 configured to use Dynamic IPv6 configuration (DHCPv6) which used DHCPv6exclusively without using SLAAC automatic configuration. To fix this bug, the first option(Automatic neighbor discovery) has been renamed to Automatic; it is the (SLAAC)automatic configuration with the option of using a DHCPv6 server based on RA serverconfiguration. The second option (Dynamic IP configuration (DHCPv6)) was renamedto Automatic, DHCP only, which describes the actual configuration to be used moreaccurately. These descriptions are now the same as those used by Network Manager. As aresult, it is now clearer that the third option (Automatic, DHCP only) is using the DHCPv6server exclusively.

BZ#836321The command-line interface of the fcoe-utils package in Red Hat Enterprise Linux 6.3 waschanged but the installer did not adapt to this change correctly. As a consequence, FCoEinitiators were not able to log in to remote storages, which could then not be used forinstallation. To fix this bug, the fipvlan command arguments have been fixed to use the new -f option correctly. As a result, the installer now logs in to a FCoE remote storage correctly, andcan be used for installation purposes.

BZ#823690Repositories without size data caused a divide-by-zero error. Consequently, the installationfailed. With this update, repositories without size data do not cause a divide-by-zero error andthe installation succeeds.

BZ#84 8818Support for the --hibernation option was only added to the part command. Consequently, --hibernation did not work with the logvol command. To fix this bug, support for --hibernation has been added to the logvol command. As a result, --hibernation nowworks with the logvol command.

BZ#784 001The linksleep option used to be applied only for the ksdevice= boot parameter using thevalue link. Consequently, when the ksdevice boot parameter was supplied a value containing adevice name or a MAC address, the linksleep boot parameter did not take effect. Withoutwaiting for the link, as required by the linksleep boot parameter, the installer could fail. To fixthis bug, the linksleep boot parameter has been added to code paths where the to-be-activated device is specified. As a result, the linksleep boot parameter is honored also forinstallation where the ksdevice boot parameter is supplied a value containing a device nameor a MAC address.

BZ#74 7278The Anaconda installer did not check lengths of Logical Volume Manager (LVM) Volume Groupnames or Logical Volume names. As a consequence, an error occurred when creating diskpartitions. To fix this bug, the length of LVM Volume Group names has been truncated to 32characters and Logical Volume names to 16 characters. As a result, the installation completes


85



successfully.

BZ#74 6925Previously, Anaconda failed to enable add-on repositories when upgrading the system.Consequently, packages from the add-on repositories were not upgraded. This update allowsAnaconda to enable add-on repositories when the system is upgrading and packages from theadd-on repositories are upgraded as expected.

Enhancements

BZ#668065With this update, the vlanid=boot and --vlanid=kickstart options can be used to allowusers to set a virtual LAN ID (802.1q tag) for a specified network device. By specifying eitherone of these options, installation of the system can be done over a VLAN.

BZ#838736This update allows users to select a LUKS encryption type in the kickstart configuration file.

BZ#662007The bond boot, --bondslaves and --bondopts kickstart options can now be used toconfigure bonding as a part of the installation process. For more information on how toconfigure bonding, refer to the following parts of the Red Hat Enterprise Linux 6 InstallationGuide: the Kickstart Options section and the Boot Options chapter.

BZ#813998When using a kickstart file to install Red Hat Enterprise Linux 6.4, with the new fcoe kickstart option, users can now specify, which Fibre Channel over Ethernet (FCoE) devicesshould be activated automatically in addition to those discovered by Enhanced Disk Drive (EDD)services. For more information, refer to the Kickstart Options section in Red Hat EnterpriseLinux 6 Installation Guide.

BZ#83874 2RPM signatures are now generated using the sha256sum utility instead of the md5sum utility.With this update, the sha256sum command-line utility is included in Anaconda and is availablein the shell during the installation process.

Users of anaconda are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.6. authconfig

6.6.1. RHBA-2013:0486 — authconfig bug fix updateUpdated authconfig packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The authconfig packages provide a command line utility and a GUI application that can configure a


86




workstation to be a client for certain network user information and authentication schemes, and otheruser information and authentication related options.

Bug Fixes

BZ#862195Prior to this update, the authconfig utility used old syntax for configuring the idmap mapping inthe smb.conf file when started with the "--smbidmapuid" and "--smbidmapgid" command lineoptions. Consequently, Samba 3.6 ignored the configuration. This update adapts authconfig touse the new syntax of the idmap range configuration so that Samba 3.6 can read it.

BZ#874 527Prior to this update, the authconfig utility could write an incomplete sssd.conf file when using theoptions "--enablesssd" or "--enablesssdauth". As a consequence, the sssd daemon did notstart. With this update, authconfig no longer tries to create the sssd.conf file without completeinformation, and the sssd daemon can now start as expected.

All users of authconfig are advised to upgrade to these updated packages, which fix these bugs.

6.7. autofs

6.7.1. RHBA-2013:0462 — autofs bug fix and enhancement updateUpdated autofs packages that fix multiple bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The autofs utility controls the operation of the automount daemon. The automount daemonautomatically mounts file systems when you use them, and unmounts them when they are not busy.

Bug Fixes

BZ#585059When the automount daemon managed a large number of mount points, unmounting all activemount points could take a longer period of time than expected. If the daemon failed to exit within45 seconds, the autofs init script timed out and returned a false-positive shutdown failure. Toresolve this problem, the init script restart behavior has been modified. If the init scriptrepeatedly fails to stop the daemon, the script terminates the daemon by sending the SIGKILLsignal, which allows autofs to be restarted correctly.

BZ#819703The automount interface matching code was able to detect only IPv4 interfaces. As aconsequence, mount points were mounted with an incorrect mount type when using IPv6. To fixthis problem, the automount interface matching code has been modified to use the getifaddrs()function insted of ioctl(). The automount interface matching code now properly recognizes IPv6interfaces and both, IPv4 and IPv6 mounts are now mounted as expected.

BZ#827024 , BZ#84 6852, BZ#84 7873Previously, automount could terminate unexpectedly with a segmentation fault when using theinternal hosts map. This could happen due to a function name collision between autofs and thelibtirpc library. Both utilities called a debug logging function of the same name but with a different


87





call signature. This update applies a series of patches that fix this problem by redefining theinternal debug logging function in autofs. Also, several other bugs related to the autofs RPCfunction have been fixed. The automount daemon no longer crashes when using the internalhosts map and the libtirpc library is installed on the system.

BZ#834 64 1Due to an incorrectly placed port test in the get_nfs_info() function, autofs attempted to contactthe portmap service when mounting NFSv4 file systems. Consequently, if the portmap servicewas disabled on the server, automount failed to mount the NFSv4 file systems with the followingerror message:

mount(nfs): no hosts available

With this update, the port check has been moved to the correct location in the code so thatautomount no longer contacts the server's port mapper when mounting NFSv4 file systems.NFSv4 file systems are mounted as expected in this scenario.

BZ#8364 22Previously, the autofs internal hosts map could not be refreshed until all entries in the map hadbeen unmounted. Consequently, users could not access newly exported NFS shares and anyattempt to access such shares failed with the "No such file or directory" error message. Thisupdate allows the server export list to be updated by sending a HUP signal to the automountdaemon. This causes automount to request server exports so the hosts map and associatedautomounts can be updated. Newly exported NFS shares can now be accessed as expected.

BZ#84 5512Previously, the usage message displayed by the autofs init script did not contain the "usage"command entry. This update corrects the init script so it now displays all commands that can beused with the autofs service as expected.

BZ#856296When stopping the autofs service, autofs did not correctly handle situations where a null mapentry appeared after a corresponding indirect map entry in the autofs master map. As aconsequence, automount attempted to unmount a unmount a non-existing automount point andbecame unresponsive. This update modifies autofs to process null map entries correctly so itno longer attempts to unmount non-existing automount points. The autofs service now stopsgracefully as expected.

BZ#860184Previously, the autofs init script did not allow any commands to be run by unprivileged users.However, it is desirable to let a non-root user check the status of autofs for example formonitoring purposes. Therefore, this update modifies the autofs init script to allow unprivilegedusers to execute the service autofs status command.

BZ#865311Previous versions of autofs contained several typographical errors and misleading informationin the auto.master(5) man page, and autofs.sysconfig and autofs.conf configuration files. Thisupdate corrects these bugs including the description of theMOUNT_NFS_DEFAULT_PROTOCOL and MOUNT_WAIT options.


88




BZ#868973When attempting to mount an NFSv4 share from an unreachable NFSv4 server, autofs did notclose IPv6 UDP sockets. This could eventually lead to depletion of free file descriptors and anautomount failure. This update modifies autofs to close IPv6 UDP sockets as expected, andautomount no longer fails due to too many open files in the described scenario.

BZ#89284 6When using autofs with LDAP, the code used to perform a base DN search allowed a racebetween two threads executing the same function simultaneously to occur. As a result of thisrace, autofs could attempt to access already freed memory and terminate unexpectedly with asegmentation fault. With this update, the code used to perform base DN searches has beenmoved to the function protected by a mutex, which prevents the race from occurring. The baseDN searches are now performed only when refreshing settings of the map lookup modules.

Enhancements

BZ#84 6870This update modifies autofs to allow configuring of separate timeout values for individual directmap entries in the autofs master map.

BZ#85994 7With this update, the auto.master(5) man page has been updated to document the "-t, --timeout"option in the FORMAT options section.

BZ#866338The auto.master(5) man page has been updated to clarify description of the "nobind" optionwhen it is used with direct mount maps.

BZ#866396The autofs.spec file has been modified to update build dependency of the autofs sss interfacelibrary. The library now requires the libsss_autofs package instead of sssd.

BZ#822733This update improves debug logging of autofs. With debug logging set on, automount nowreports whether it needs to read a mount map or not.

All users of autofs are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.8. automake

6.8.1. RHSA-2013:0526 — Low: automake security updateAn updated automake package that fixes one security issue is now available for Red Hat Enterprise


89




Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. A CommonVulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available foreach vulnerability from the CVE link(s) associated with each description below.

Automake is a tool for automatically generating Makefile.in files compliant with the GNU CodingStandards.

Security Fix

CVE-2012-3386It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory,they could execute arbitrary code with the privileges of the user running "make distcheck".

Red Hat would like to thank Jim Meyering for reporting this issue. Upstream acknowledges StefanoLattarini as the original reporter.

Users of automake are advised to upgrade to this updated package, which corrects this issue.

6.9. avahi

6.9.1. RHBA-2013:0368 — avahi bug fix updateUpdated avahi packages that fix one bug are now available for Red Hat Enterprise Linux 6.

Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for ZeroConfiguration Networking. It facilitates service discovery on a local network. Avahi and Avahi-awareapplications allow you to plug your computer into a network and, with no configuration, view other peopleto chat with, view printers to print to, and find shared files on other computers.

Bug Fix

BZ#5994 35Previously, the Avahi library packages required the Avahi daemon packages as a dependency.Consequently, whenever installing some of the Avahi libraries, the Avahi daemon was installedas well, which could pose a security risk in certain environments. This update removes thesedependencies so that the Avahi libraries are now installed without the Avahi daemon.

All users of avahi are advised to upgrade to these updated packages, which fix this bug.

6.10. bacula

6.10.1. RHBA-2012:1469 — bacula bug fix updateUpdated bacula packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.

The bacula packages provide a tool set that allows you to manage the backup, recovery, and verificationof computer data across a network of different computers.


90

https://www.redhat.com/security/data/cve/CVE-2012-3386




Bug FixesBZ#728693

Prior to this update, the logwatch tool did not check the "/var/log/bacula*" file. As aconsequence, the logwatch report was incomplete. This update adds all log files to the logwatchconfiguration file. Now, the logwatch report is complete.

BZ#728697Prior to this update, the bacula tool itself created the "/var/spool/bacula/log" file. As aconsequence, this log file used an incorrect SELinux context. This update modifies theunderlying code to create the /var/spool/bacula/log file in the bacula package. Now, this log filehas the correct SELinux context.

BZ#729008Prior to this update, the bacula packages were built without the CFLAGS variable"$RPM_OPT_FLAGS". As a consequence, the debug information was not generated. Thisupdate modifies the underlying code to build the packages with CFLAGS="$RPM_OPT_FLAGS.Now, the debug information is generated as expected.

BZ#756803Prior to this update, the perl script which generates the my.conf file contained a misprint. As aconsequence, the port variable was not set correctly. This update corrects the misprint. Now,the port variable is set as expected.

BZ#802158Prior to this update, values for the "show pool" command was obtained from the "res->res_client" item. As a consequence, the output displayed incorrect job and file retentionvalues. This update uses the "res->res_pool" item to obtain the correct values.

BZ#86224 0Prior to this update, bacula-storage-common utility wrongly removed alternatives for the bcopyfunction during the update. As a consequence, the Link to bcop.{mysql,sqlite,postgresql}disappeared after updating. This update modifies the underlying code to remove these linksdirectly in storage-{mysql,sqlite,postgresql} and not in bacula-storage-common.

All users of bacula are advised to upgrade to these updated packages, which fix these bugs.

6.11. bash

6.11.1. RHBA-2013:0306 — bash bug fix and enhancement updateUpdated bash packages that fix three bugs and add one enhancement are now available for Red HatEnterprise Linux 6.

The bash packages provide the Bash (Bourne-again shell) shell, which is the default shell for Red HatEnterprise Linux.

Bug Fixes


91







BZ#695656Prior to this update, the trap handler could, under certain circumstances, lose signals duringanother trap initialization. This update blocks the signal while the trap string and handler arebeing modified. Now, the signals are no longer lost.

BZ#799958Prior to this update, the manual page for trap in Bash did not mention that signals ignored uponentry cannot be listed later. This is now fixed and the manual page entry text is amended to"Signals ignored upon entry to the shell cannot be trapped, reset or listed".

BZ#8004 73Prior to this update, the Bash shell called the trap handler within a signal handler when aSIGCHLD signal was received in job control mode and a handler for the signal was installed.This was a security risk and could cause Bash to enter a deadlock or to terminate unexpectedlywith a segmentation fault due to memory corruption. With this update, the trap handler is nowcalled outside of the signal handler, and Bash no longer enters a deadlock.

Enhancement

BZ#6774 39This update enables the system-wide "/etc/bash.bash_logout" file. This allows administratorsto write system-wide logout actions for all users.

All users of bash are advised to upgrade to these updated packages, which fix these bugs and add thisenhancement.

6.12. bfa-firmware

6.12.1. RHBA-2013:0315 — bfa-firmware bug fix and enhancement updateUpdated bfa-firmware packages that fix multiple bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The bfa-firmware package contains the Brocade Fibre Channel Host Bus Adapter (HBA) Firmware to runBrocade Fibre Channel and CNA adapters. This package also supports the Brocade BNA networkadapter.


The bfa-firmware packages have been upgraded to upstream version 3.0.3.1, which provides anumber of bug fixes and enhancements over the previous version. (BZ#830015)

All users of bfa-firmware are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.13. bind-dyndb-ldap


92





6.13.1. RHBA-2013:0359 — bind-dyndb-ldap bug fix and enhancement updateUpdated bind-dyndb-ldap packages that fix multiple bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The dynamic LDAP back end is a plug-in for BIND that provides back-end capabilities to LDAPdatabases. It features support for dynamic updates and internal caching that help to reduce the load onLDAP servers.


The bind-dyndb-ldap package has been upgraded to upstream version 2.3, which provides anumber of bug fixes and enhancements over the previous version. In particular, many persistentsearch improvements. Refer to /usr/share/doc/bind-dyndb-ldap/NEWS for a detailed list of thechanges. (BZ#827414)

Bug Fixes

BZ#7674 96When persistent search was in use, the plug-in sometimes terminated unexpectedly due to anassertion failure when the "rndc reload" command was issued and the LDAP server was notreachable. With this update, the code has been improved so that connection failures andreconnects are now handled more robustly. As a result, the plug-in no longer crashes in thescenario described.

BZ#829388Previously, some relative domain names were not expanded correctly to FQDNs. Consequently,zone transfers sometimes contained relative domain names although they should only containFQDNs (for example, they contained "name." record instead of "name.example.com."). Theplug-in has been patched, and as a result, zone transfers now contain the correct domainnames.

BZ#84 0381Due to a bug in bind-dyndb-ldap, the named process sometimes terminated unexpectedly whena connection to LDAP timed out. Consequently, when a connection to LDAP timed out (or failed),the named process was sometimes aborted and DNS service was unavailable. The plug-in hasbeen fixed and as a result, the plug-in now handles situations when a connection to LDAP failsgracefully.

BZ#856269Due to a race condition, the plug-in sometimes caused the named process to terminateunexpectedly when it received a request to reload. Consequently, the DNS service wassometimes unavailable. A patch has been applied and as a result, the race condition duringreload no longer occurs.

Enhancements

BZ#733711


93







LDAP in Red Hat Enterprise Linux 6.4 includes support for persistent search for both zonesand their resource records. Persistent search allows the bind-dyndb-ldap plug-in to beimmediately informed about all changes in an LDAP database. It also decreases networkbandwidth usage required by repeated polling.

BZ#82934 0Previously, it was only possible to configure IPv4 forwarders in LDAP. With this update, a patchhas been added to the plug-in, and as a result, the plug-in is now able to parse and use IPv6forwarders. BIND9 syntax for "forwarders" is required.

BZ#829385Previously, it was impossible to share one LDAP database between multiple master servers;only one master server could be used. A new bind-dyndb-ldap option "fake_mname" whichallows for overriding the master server name in the SOA record has been added. With thisoption it is now possible to override the master server name in the SOA record so that multipleservers can act as master server for one LDAP database.

BZ#84 0383When multiple named processes shared one LDAP database and dynamically updated DNSrecords (via DDNS), they did not update the SOA serial numbers so it was impossible to servesuch zones on secondary servers correctly (that is to say, they were not updated on slaveservers). With this update, the plug-in can now update SOA serial numbers automatically, ifconfigured to do so. Refer to the new "serial_autoincrement" option in the /usr/share/doc/bind-dyndb-ldap/README file for more details.

BZ#869323This update provides support for the per-zone disabling of forwarding. Some setups require thedisabling of forwarding per-zone. For example, company servers are configured as authoritativefor a non-public zone and have global forwarding turned on. When the non-public zone containsdelegation for a non-public subdomain, the zone must have explicitly disabled forwardingotherwise the glue records will not be returned. As a result, a server can now return delegationglue records for private zones when global forwarding is turned on. Refer to/usr/share/doc/bind-dyndb-ldap/README for detailed information.

Users of bind-dyndb-ldap are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.14. bind

6.14.1. RHSA-2013:0550 — Moderate: bind security and enhancement updateUpdated bind packages that fix one security issue and add one enhancement are now available for RedHat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. ACommon Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, isavailable for each vulnerability from the CVE link(s) associated with each description below.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS)


94






protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use wheninterfacing with DNS); and tools for verifying that the DNS server is operating correctly. DNS64 is used toautomatically generate DNS records so IPv6 based clients can access IPv4 systems through a NAT64server.

Security Fix

CVE-2012-5689A flaw was found in the DNS64 implementation in BIND when using Response Policy Zones(RPZ). If a remote attacker sent a specially-crafted query to a named server that is using RPZrewrite rules, named could exit unexpectedly with an assertion failure. Note that DNS64 supportis not enabled by default.

Enhancement

BZ#906312Previously, it was impossible to configure the maximum number of responses sent per secondto one client. This allowed remote attackers to conduct traffic amplification attacks using DNSqueries with spoofed source IP addresses. With this update, it is possible to use the new "rate-limit" configuration option in named.conf and configure the maximum number of queries whichthe server responds to. Refer to the BIND documentation for more details about the "rate-limit"option.

All bind users are advised to upgrade to these updated packages, which contain patches to correct thisissue and add this enhancement. After installing the update, the BIND daemon (named) will be restartedautomatically.

6.14.2. RHBA-2013:0475 — bind bug fix updateUpdated bind packages that multiples bugs are now available for Red Hat Enterprise Linux 6.

BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System)protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolverlibrary (routines for applications to use when interfacing with DNS); and tools for verifying that the DNSserver is operating properly.

Bug Fixes

BZ#827282Previously, initscript sometimes reported a spurious error message "initscript: silence spurious"named.pid: No such file or directory" due to a race condition when the DNS server (named)was stopped. This spurious error message has been suppressed and is no longer reported inthis scenario.

BZ#837165Due to a race condition in the rbtdb.c source file, the named daemon could terminateunexpectedly with the INSIST error code. This bug has been fixed in the code and the nameddaemon no longer crashes in the described scenario.

BZ#853806


95





Previously, BIND rejected "forward" and "forwarders" statements in static-stub zones.Consequently, it was impossible to forward certain queries to specified servers. With thisupdate, BIND accepts those options for static-stub zones properly, thus fixing this bug.

All users of bind are advised to upgrade to these updated packages, which fix these bugs.

6.15. binutils

6.15.1. RHBA-2013:0498 — binutils bug fix updateUpdated binutils packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The binutils packages provide a set of binary utilities, including "ar" (for creating, modifying andextracting from archives), "as" (a family of GNU assemblers), "gprof" (for displaying call graph profiledata), "ld" (the GNU linker), "nm" (for listing symbols from object files), "objcopy" (for copying andtranslating object files), "objdump" (for displaying information from object files), "ranlib" (for generatingan index for the contents of an archive), "readelf" (for displaying detailed information about binary files),"size" (for listing the section sizes of an object or archive file), "strings" (for listing printable strings fromfiles), "strip" (for discarding symbols), and "addr2line" (for converting addresses to file and line).

Bug Fixes

BZ#773526In order to display a non-printing character, the readelf utility adds the "0x40" string to thecharacter. However, readelf previously did not add that string when processing multibytecharacters, so that multibyte characters in the ELF headers were displayed incorrectly. With thisupdate, the underlying code has been corrected and readelf now displays multibyte and non-ASCII characters correctly.

BZ#825736Under certain circumstances, the linker could fail to produce the GNU_RELRO segment whenbuilding an executable requiring GNU_RELRO. As a consequence, such an executable failedupon start-up. This problem affected also the libudev library so that the udev utility did not work.With this update, the linker has been modified so that the GNU_RELRO segment is nowcorrectly created when it is needed, and utilities such as udev now work correctly.

All users of binutils are advised to upgrade to these updated packages, which fix these bugs.

6.16. biosdevname

6.16.1. RHBA-2013:0434 — biosdevname bug fix and enhancement updateUpdated biosdevname packages that fix multiple bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The biosdevname packages contain a udev helper utility which provides an optional convention fornaming network interfaces; it assigns names to network interfaces based on their physical location. Theutility is disabled by default, except for on a limited set of Dell PowerEdge, C Series and PrecisionWorkstation systems.


96




The biosdevname packages have been upgraded to upstream version 0.4.1, which provides anumber of bug fixes and enhancements over the previous version. (BZ#825142)

Bug Fixes

BZ#751373The biosdevname utility ignored the SMBIOS version check for PCI network adapters.Consequently, PCI network adapter interfaces were renamed according to PCI slot and portnumbers on systems with unsupported SMBIOS versions. With this update, the newbiosdevname utility ensures that if the SMBIOS version is not supported, PCI network adapterinterfaces are not renamed. As a result, PCI network adapters are named with the kernel defaultname in the scenario described.

BZ#804 754When using Single Root I/O Virtualization (SR-IOV) with embedded network interface devices,the biosdevname utility did not check the System Management BIOS (SMBIOS) type of thephysical function for corresponding virtual functions. Consequently, biosdevname did not findSMBIOS type 41 structure for the device virtual functions and did not suggest interface namesfor these onboard network interfaces. With this update, biosdevname now looks up the SMBIOStype 41 structure for the device virtual functions in the corresponding physical function table. Asa result, onboard network devices with virtual network interfaces are now renamed according tothe biosdevname naming scheme.

BZ#815724The biosdevname utility did not handle PCI cards with multiple ports. Consequently, only thenetwork interface of the first port of these cards was renamed according to the biosdevnamenaming scheme. An upstream patch has been applied and biosdevname now handles PCIcards with multiple ports. As a result, all ports of multiple port PCI cards are now renamedaccording to the biosdevname naming scheme.

All users of biosdevname are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.17. bridge-utils

6.17.1. RHEA-2013:0322 — bridge-utils enhancement updateUpdated bridge-utils packages that add two enhancements are now available for Red Hat EnterpriseLinux 6.

The bridge-utils packages contain utilities for configuration of the Linux Ethernet bridge. The LinuxEthernet bridge can be used to connect multiple Ethernet devices together. This connection is fullytransparent: hosts connected to one Ethernet device see hosts connected to the other Ethernet devicesdirectly.

Enhancements


97


BZ#676355The man page was missing the multicast option descriptions. This update adds that informationto the man page.

BZ#690529This enhancement adds the missing feature described in the BRCTL(8) man page, that allowsthe user to get the bridge information for a simple bridge using the "brctl show $BRIDGE"command.

All users of bridge-utils are advise to upgrade to these updated packages, which add theseenhancements.

6.18. brltty

6.18.1. RHBA-2012:1231 — brltty bug fix updateUpdated brltty packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

BRLTTY is a background process (daemon) which provides access to the Linux console (when in textmode) for a blind person using a refreshable braille display. It drives the braille display, and providescomplete screen review functionality.

Bug FixesBZ#684 526

Previously, building the brltty package could fail on the ocaml's unpackaged files error. Thishappened only if the ocaml package was pre-installed in the build root. The "--disable-caml-bindings" option has been added in the %configure macro so that the package now buildscorrectly.

BZ#809326Previously, the /usr/lib/libbrlapi.so symbolic link installed by the brlapi-devel package incorrectlypointed to ../../lib/libbrlapi.so. The link has been fixed to correctly point to ../../lib/libbrlapi.so.0.5.

All users of brltty are advised to upgrade to these updated packages, which fix these bugs.

6.19. btrfs-progs

6.19.1. RHBA-2013:0456 — btrfs-progs bug fix and enhancement updateUpdated btrfs-progs packages that fix several bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The btrfs-progs packages provide user-space programs to create, check, modify, and correct anyinconsistencies in a Btrfs file system.


98






The btrfs-progs packages have been upgraded to upstream version 0.2, which provides anumber of bug fixes and enhancements over the previous version, including support for slashesin file system labels and new commands "btrfs-find-root", "btrfs-restore", and "btrfs-zero-log".This update also modifies the btrfs-progs utility, so that it is now built with the -fno-strict-aliasingmethod. (BZ#865600)

All users of btrfs-progs are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.20. ccid

6.20.1. RHSA-2013:0523 — Low: ccid security and bug fix updateAn updated ccid package that fixes one security issue and one bug are now available for Red HatEnterprise Linux 6.


Chip/Smart Card Interface Devices (CCID) is a USB smart card reader standard followed by mostmodern smart card readers. The ccid package provides a Generic, USB-based CCID driver for readers,which follow this standard.

Security Fix

CVE-2010-4 530An integer overflow, leading to an array index error, was found in the way the CCID driverprocessed a smart card's serial number. A local attacker could use this flaw to execute arbitrarycode with the privileges of the user running the PC/SC Lite pcscd daemon (root, by default), byinserting a specially-crafted smart card.

Bug Fix

BZ#808115Previously, CCID only recognized smart cards with 5V power supply. With this update, CCIDalso supports smart cards with different power supply.

All users of ccid are advised to upgrade to this updated package, which contains backported patches tocorrect these issues.

6.21. cdrkit

6.21.1. RHBA-2012:1451 — cdrkit bug fix updateUpdated cdrkit packages that fix one bug are now available for Red Hat Enterprise Linux 6.


99





The cdrkit packages contain a collection of CD/DVD utilities for generating the ISO9660 file-system andburning media.

Bug Fix

BZ#797990Prior to this update, overlapping memory was handled incorrectly. As a consequence, newlycreated paths could be garbled when calling "genisoimage" with the "-graft-points" option tograft the paths at points other than the root directory. This update modifies the underlying codeto generate graft paths as expected.

All users of cdrkit are advised to upgrade to these updated packages, which fix this bug.

6.22. certmonger

6.22.1. RHBA-2013:0320 — certmonger bug fix and enhancement updateUpdated certmonger packages that fix several bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The certmonger daemon monitors certificates which have been registered with it, and as a certificate'snot-valid-after date approaches, the daemon can optionally attempt to obtain a fresh certificate from asupported CA.


The certmonger packages have been upgraded to upstream version 0.61, which provides anumber of bug fixes and enhancements over the previous version. (BZ#827611)

Bug Fixes

BZ#810016When certmonger was set up to not attempt to obtain a new certificate and the certificate's validremaining time crossed a configured time to live (TTL) threshold, certmonger warned of acertificate's impending not-valid-after date. Certmonger then immediately logged the warningagain, and continued to do so indefinitely, causing the /var/log/messages file to fill up withwarnings. This bug has been fixed and certmonger returns a warning again only when anotherconfigured TTL threshold is crossed or the service is restarted.

BZ#893611When certmonger attempts to save a certificate to an NSS database, it necessarily opens thatdatabase for writing. Previously, if any other process, including any other certmonger tasks thatcould require access to that database, had the database open for writing, that database couldbecome corrupted. This update backports changes from later versions of certmonger whichchange its behavior. Now, actions that could result in database modifications are onlyperformed one at a time.

All users of certmonger are advised to upgrade to these updated packages which fix these bugs and


100



add these enhancements.

6.23. cifs-utils

6.23.1. RHBA-2013:0408 — cifs-utils bug fix and enhancement updateUpdated cifs-utils packages that fix several bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The SMB/CIFS protocol is a standard file sharing protocol widely deployed on Microsoft Windowsmachines. This package contains tools for mounting shares on Linux using the SMB/CIFS protocol. Thetools in this package work in conjunction with support in the kernel to allow one to mount a SMB/CIFSshare onto a client and use it as if it were a standard Linux file system.

Bug Fixes

BZ#856729When the mount.cifs utility ran out of addresses to try, it returned the "System error" error code(EX_SYSERR) to the caller service. The utility has been modified and it now correctly returnsthe "Mount failure" error code (EX_FAIL).

BZ#826825Typically, "/" characters are not allowed in user names for Microsoft Windows systems, but theyare common in certain types of kerberos principal names. However, mount.cifs previouslyallowed the use of "/" in user names, which caused attempts to mount CIFS file systems to fail.With this package, "/" characters are now allowed in user names if the "sec=krb5" or"sec=krb5i" mount options are specified, thus CIFS file systems can now be mounted asexpected.

BZ#838606Previously, the cifs-utils packages were compiled without the RELRO (read-only relocations)and PIE (Position Independent Executables) flags. Programs provided by this package could bevulnerable to various attacks based on overwriting the ELF section of a program. The "-pie" and"-fpie" options enable the building of position-independent executables, and the "-Wl","-z","relro" turns on read-only relocation support in gcc. These options are important for securitypurposes to guard against possible buffer overflows that lead to exploits. The cifs-utils binariesare now built with PIE and full RELRO support. The cifs-utils binary is now more securedagainst "return-to-text" and memory corruption attacks and also against attacks based on theprogram's ELF section overwriting.

Enhancements

BZ#84 3596With this update, the "strictcache", "actimeo", "cache=" and "rwpidforward" mount options arenow documented in the mount.cifs(8) manual page.

BZ#84 3612The "getcifsacl", "setcifsacl" and "cifs.idmap" programs have been added to the package.These utilities allow users to manipulate ACLs on CIFS shares and allow the mapping ofWindows security IDs to POSIX user and group IDs.


101



BZ#84 3617With this update, the cifs.idmap helper, which allows SID to UID and SID to GID mapping, hasbeen added to the package. Also, the manual page cifs.upcall(8) has been updated andcifs.idmap(8) has been added.

Users of cifs-utils are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.24. clustermon

6.24.1. RHBA-2013:0469 — clustermon bug fix updateUpdated clustermon packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The clustermon packages provide the modclusterd daemon, which is a service for remote clustermanagement. Modclusterd serves as an abstraction of the cluster status that utilizes other clustermonparts exposed through conga, the Simple Network Management (SNMP), and Common Information Model(CIM).

Bug Fixes

BZ#865588Prior to this update, the dynamic library that represents the CIM provider of a cluster status wasnot built with all the required dependencies and therefore certain symbols could not beresolved. As a consequence, the cluster status could not be accessed via CIM. This updateadds the missing dependencies to the dynamic library. Now, the cluster status is accessible asexpected.

BZ#885830Prior to this update, the size of XML-formatted cluster configuration (as in cluster.conf file)greater than 200 kB might have crashed modcluster, a program assisting the ricci daemon inhandling the cluster configuration file (cluster.conf), or modclusterd, a daemon providing clusterstatus. This update drops this restriction and both executables no longer abort with largerconfigurations.

All users of clustermon are advised to upgrade to these updated packages, which fix these bugs.

6.25. cluster and gfs2-utils

6.25.1. RHBA-2013:0287 — cluster and gfs2-utils bug fix and enhancementupdateUpdated cluster and gfs2-utils packages that fix several bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The Red Hat Cluster Manager is a collection of technologies working together to provide data integrityand the ability to maintain application availability in the event of a failure. Using redundant hardware,


102





shared disk storage, power management, and robust cluster communication and application failovermechanisms, a cluster can meet the needs of the enterprise market.

Bug Fixes

BZ#785866With this update, a minor typographical error has been fixed in the /usr/share/cluster/cluster.rng.in.head RELAX NG schema.

BZ#8034 77Previously, the fsck.gfs2 program printed irrelevant error messages when reclaiming freemetadata blocks. These messages could have been incorrectly understood as file systemerrors. With this update, these messages are no longer displayed.

BZ#814 807The master_wins implementation of the qdiskd daemon was not sufficiently fast to handover the master status during the ordered shutdown. Consequently, a temporary loss ofquorum in the cluster could have occurred. With this update, master_wins has been modifiedto operate more quickly.

BZ#83804 7Previously, the master_wins implementation of the qdiskd daemon did not check strictly forerrors in the /etc/cluster/cluster.conf file. Consequently, with several incorrect optionsin cluster.conf, two quorate partitions could have been created at the same time. With thisupdate, master_wins has been modified to perform strict error checking to avoid the creationof multiple quorate partitions.

BZ#83894 5Prior to this update, an overly long cluster name in the /etc/cluster/cluster.conf filecould cause a buffer overflow when running the fsck.gfs2 utility on a GFS2 file system with acorrupt super block. With this update, the cluster name is truncated appropriately when thesuper block is being rebuilt. Now, the buffer overflow condition no longer occurs in thedescribed case.

BZ#83924 1Under certain circumstances, the cman cluster manager did not propagate two internal valuesacross configuration reloads. Consequently, runtime inconsistencies could occur. This bug hasbeen fixed, and the aforementioned error no longer occurs. Also, a corner case memory leakhas been fixed.

BZ#84 534 1Prior to this update, the fenced daemon created the /var/log/cluster/fenced.log filewith world readable permissions. With this update, fenced has been modified to set more strictsecurity permissions for its log file. Also, permissions of an existing log file are automaticallycorrected if necessary.

BZ#84 7234Previously, an insufficient buffer length limitation did not allow long configuration lines in the


103





/etc/cluster/cluster.conf configuration file. Consequently, a long entry in the filecaused the corosync utility to terminate unexpectedly with a segmentation fault. With thisupdate, the length limit has been extended. As a result, the segmentation fault no longer occursin this situation.

BZ#853180When a GFS2 file system was mounted with the lock_nolock option enabled, the cmancluster manager incorrectly checked the currently used resources. Consequently, cman failedto start. This bug has been fixed, and cman now starts successfully in the described case.

BZ#854 032In certain corner cases, triggered especially when shutting down all cluster nodes at the sametime, the cluster daemons failed to quit within the cman shutdown limit (10 seconds).Consequently, the cman cluster manager declared a shutdown error. With this update, thedefault shutdown timeout has been increased to 30 seconds to prevent the shutdown error.

BZ#857952Under rare circumstances, the fenced daemon polled an incorrect file descriptor from thecman cluster manager. Consequently, fenced entered a loop and the cluster becameunresponsive. This bug has been fixed, and the aforementioned error no longer occurs.

BZ#86134 0The fenced daemon is usually started before the messagebus (D-BUS) service, which hasno harmful operational effects. Previously, this behavior was recorded as an error message inthe /var/log/cluster/fenced.log file. To avoid confusion, this error message is nowentered into /var/log/cluster/fenced.log only when the log level is set to debugging.

BZ#86284 7Previously, the mkfs.gfs2 -t command accepted non-standard characters, like slash (/), inthe lock table name. Consequently, only the first cluster node was able to mount a GFS2 filesystem successfully. The next node attempting to mount a GFS2 file system becameunresponsive. With this update, a more strict validation of lock table names has beenintroduced. As a result, cluster nodes no longer hang when special characters are used in locktable.

BZ#887787Previously, when the client using the cman API called the cman_stop_notification()function after cman was already closed, the client terminated with the SIGPIPE signal. Withthis update, the underlying source code has been modified to address this issue, and the MSG_NOSIGNAL message is now displayed to warn the user in the described scenario.

BZ#888053Prior to this update, the gfs2_convert tool was unable to handle certain corner cases whenconverting between GFS1 and GFS2 file systems. Consequently, the converted GFS2 filesystem contained errors. With this update, gfs2_convert has been fixed to detect these cornercases and adjust the converted file system accordingly


104



Enhancements

BZ#661764The cman cluster manager is now supported with the bonding mode options 0, 1, and 2.Prior to this update, only bonding mode 1 was supported.

BZ#738704This update adds support for clusters utilizing the Red Hat Enterprise Virtualization Managernative shared storage between nodes.

BZ#786118The hostname aliases from the /etc/hosts file are now accepted as cluster node namesacross cluster applications.

BZ#797952A new tool, fence_check, has been added to provide a method to test the fence configurationin a non disruptive way. The tool has been designed to run via the crontab utility for regularmonitoring of fence devices.

BZ#821016This update enables passing additional command line options to the dlm_controld daemonusing the /etc/sysconfig/cman file.

BZ#84 2370The Distributed Lock Manager (DLM) now allows tuning of DLM hash table sizes from the /etc/sysconfig/cman file. The following parameters can be set in the /etc/sysconfig/cman file:

DLM_LKBTBL_SIZE=<size_of_table>DLM_RSBTBL_SIZE=<size_of_table>DLM_DIRTBL_SIZE=<size_of_table>

which, in turn, modifies the values in the following files respectively:

/sys/kernel/config/dlm/cluster/lkbtbl_size/sys/kernel/config/dlm/cluster/rsbtbl_size/sys/kernel/config/dlm/cluster/dirtbl_size

BZ#857299Previously, it was not possible to modify the default TCP port (21064) of the Distributed LockManager (DLM). With this update, the DLM_TCP_PORT configuration parameter has been addedinto the /etc/sysconfig/cman file. As a result, the DLM TCP port can be manuallyconfigured.

BZ#86004 8The fsck.gfs2 program now checks for formal mismatches between disk inode numbers anddirectory entries in the GFS2 file system.


105



BZ#86084 7This update adds support for two and four node clusters utilizing the rgmanager daemon withthe rrp_mode option enabled.

BZ#878196This update adds support for clusters utilizing the VMware's VMDK (Virtual Machine Disk) diskimage technology with the multi-writer option. This allows using VMDK-based storage withthe multi-writer option for clustered file systems such as GFS2.

All users of cluster and gfs2-utils are advised to upgrade to these updated packages, which fix thesebugs and add these enhancements.

6.26. control-center

6.26.1. RHBA-2013:0335 — control-center bug fix updateUpdated control-center packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The control-center packages provide various configuration utilities for the GNOME desktop. Theseutilities allow the user to configure accessibility options, desktop fonts, keyboard and mouse properties,sound setup, desktop theme and background, user interface properties, screen resolution, and othersettings.

Bug Fix

BZ#805069Prior to this update, the status LEDs on Wacom tablets did not correctly indicate the currentmode. With this update, the LEDs now indicate which of the Touch Ring or Touch Strip modesare active.

All users of control-center are advised to upgrade to these updated packages, which fix this bug.

6.27. coolkey

6.27.1. RHBA-2013:0397 — coolkey bug fix and enhancement updateUpdated coolkey packages that fix several bugs and add an enhancement are now available for Red HatEnterprise Linux 6.

Coolkey is a smart card support library for the CoolKey, CAC (Common Access Card), and PIV (PersonalIdentity Verification) smart cards.

Bug Fixes

BZ#861108Previously, Coolkey was unable to recognize PIV-I cards. This update fixes the bug andCoolkey now allows these cards to be read and display certificate information as expected.


106



BZ#879563Prior to this update, The pkcs11_listcerts and pklogin_finder utilities were unable to recognizecertificates and USB tokens on smart cards after upgrading the Coolkey library. A patch hasbeen provided to address this issue and these utilities now work as expected.

BZ#806038Previously, the remote-viewer utility failed to utilize a plugged smart card reader when a Spiceclient was running. Eventually, the client could terminate unexpectedly. Now, remote-viewerrecognizes the reader and offers authentication once the card is inserted and the crashes nolonger occur.

BZ#884 266Previously, certain new PIV-II smart cards could not be recognized by client card readers, theESC card manager, or the pklogin_finder utility. A patch has been provided to address thisissue and PIV-II cards now work with Coolkey as expected.

Enhancement

BZ#805693Support for Oberthur Smart Cards has been added to the Coolkey library.

Users of coolkey are advised to upgrade to these updated packages, which fix these bugs and add thisenhancement.

6.28. Core X11 Libraries

6.28.1. RHBA-2013:0294 — Core X11 libraries bug fix and enhancement updateUpdated Core X11 libraries packages that fix several bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The Core X11 libraries contain the base protocol of the X Window System, which is a networkedwindowing system for bitmap displays used to build graphical user interfaces on Unix, Unix-like, andother operating systems.

The pixman package has been upgraded to upstream version 0.18.4, which provides a number of bugfixes and enhancements over the previous version. (BZ#644296)

The following packages have been upgraded to their upstream versions to conform to X Window SystemTest Suite (XTS5):


107





Table 6.1. Upgraded packages

Package name Upstream version BZ number

libxcb 1.8.1 755654

libXcursor 1.1.13 755656

libX11 1.5.0 755657

libXi 1.6.1 755658

libXt 1.1.3 755659

libXfont 1.4.5 755661

libXrender 0.9.7 755662

libXtst 1.2.1 755663

libXext 1.3.1 755665

libXaw 1.0.11 755666

libXrandr 1.4.0 755667

libXft 2.3.1 755668

The following packages have been upgraded to their respective upstream versions, which provides anumber of bug fixes and enhancements over the previous versions.


108















libXau 1.0.6 835172

libXcomposite 0.4.3 835183

libXdmcp 1.1.1 835184

libXevie 1.0.3 835186

libXinerama 1.1.2 835187

libXmu 1.1.1 835188

libXpm 3.5.10 835190

libXres 1.0.6 835191

libXScrnSaver 1.2.2 835192

libXv 1.0.7 835193

libXvMC 1.0.7 835195

libXxf86dga 1.1.3 835196

libXxf86misc 1.0.3 835197

libXxf86vm 1.1.2 835198

libdrm 2.4.39 835202

libdmx 1.1.2 835203

pixman 0.26.2 835204

xorg-x11-proto-devel 7.6 835206

xorg-x11-util-macros 1.17 835207

xorg-x11-xtrans-devel 1.2.7 835276

xkeyboard-config 2.6 835284

libpciaccess 0.13.1 843585

xcb-proto 1.7 843593

libSM 1.2.1 843641

Bug Fixes

BZ#802559Previously, in the xorg-x11-proto-devel package, the definition of the _X_NONNULL macro wasincompatible with C89 compilers. Consequently, C89 applications could not be built in C89 modeif the X11/Xfuncproto.h file was included. This update fixes the macro definition to becompatible with C89 mode.

BZ#804 907Prior to this update, XI2 events were not properly initialized and could contain garbage values. Apatch for the libXi package, which had been setting values to garbage, has been provided to fixthis bug. Now, actual events no longer contain garbage values and are initialized as expected.

BZ#8714 60Previously, the spec file of the xkeyboard-config package used the %{dist} macro in theVersion tag. Although the standard Red Hat Enterprise Linux build environment defines thismacro, it does not need to be defined. If it was not defined, %{dist} appeared literally in theresulting RPM package's version string when the package was rebuilt. The spec file has been


109




























corrected to use the conditional %{?dist} form, which expands to an empty string if %{dist}is not defined.

Users of Core X11 libraries are advised to upgrade to these updated packages, which fix these bugsand add various enhancements.

6.29. Core X11 clients

6.29.1. RHSA-2013:0502 — Low: Core X11 clients security, bug fix, andenhancement updateUpdated core client packages for the X Window System that fix one security issue, several bugs, andadd various enhancements are now available for Red Hat Enterprise Linux 6.


The Core X11 clients packages provide the xorg-x11-utils, xorg-x11-server-utils, and xorg-x11-appsclients that ship with the X Window System.

Security Fix

CVE-2011-2504It was found that the x11perfcomp utility included the current working directory in its PATHenvironment variable. Running x11perfcomp in an attacker-controlled directory would causearbitrary code execution with the privileges of the user running x11perfcomp.

Note

The xorg-x11-utils and xorg-x11-server-utils packages have been upgraded to upstream version7.5, and the xorg-x11-apps package to upstream version 7.6, which provides a number of bugfixes and enhancements over the previous versions. (BZ#835277, BZ#835278, BZ#835281)

All users of xorg-x11-utils, xorg-x11-server-utils, and xorg-x11-apps are advised to upgrade to theseupdated packages, which fix these issues and add these enhancements.

6.30. corosync

6.30.1. RHBA-2013:0497 — corosync bug fix updateUpdated corosync packages that fix several bugs and add multiple enhancements are now available forRed Hat Enterprise Linux 6.

The corosync packages provide the Corosync Cluster Engine and C Application Programming Interfaces(APIs) for Red Hat Enterprise Linux cluster software.

Bug Fixes


110





BZ#783068Prior to this update, the corosync-notifyd service did not run after restarting the process.This update modifies the init script to wait for the actual exit of previously running instances ofthe process. Now, the corosync-notifyd service runs as expected after restarting.

BZ#786735Prior to this update, an incorrect node ID was sent in recovery messages when corosyncentered recovery. As a consequence, debugging problems in the source code was difficult. Thisupdate sets the correct node ID.

BZ#786737Upon receiving the JoinMSG message in the OPERATIONAL state, a node enters the GATHERstate. However, if JoinMSG was discarded, the nodes sending this JoinMSG could not receive aresponse until other nodes have had their tokens expired. This caused the nodes havingentered the GATHER state spend more time to rejoin the ring. With this update, the underlyingsource code has been modified to address this issue.

BZ#787789Prior to this update the netfilter firewall blocked input and output multicast packets, corosynccoould become suspended, failed to create membership and cluster could not be used. Afterthis update, corosync is no longer dependent on multicast loop kernel feature for localmessages delivery, but uses the socpair unix dgram socket.

BZ#794 74 4Previously, on InfiniBand devices, corosync autogenerated the node ID when the configurationfile or the cluster manager (cman) already set one. This update modifies the underlying code torecognize user-set mode IDs. Now, corosync autogenerates node IDs only when the user hasnot entered one.

BZ#821352Prior to this update, corosync sockets were bound to a PEERs IP address instead of the localIP address when the IP address was configured as peer-to-peer (netmask /32). As aconsequence, corosync was unable to create memberships. This update modifies theunderlying code to use the correct information about the local IP address.

BZ#824 902Prior to this update, the corosync logic always used the first IP address that was found. As aconsequence, users could not use more than one IP address on the same network. Thisupdate modifies the logic to use the first network address if no exact match was found. Now,users can bind to the IP address they select.

BZ#827100Prior to this update, some sockets were not bound to a concrete IP address but listened on allinterfaces in the UDPU mode. As a consequence, users could encounter problems whenconfiguring the firewall. This update binds all sockets correctly.

BZ#84 7232


111









Prior to this update, configuration file names that consisted of more than 255 characters couldcause corosync to abort unexpectedly. This update returns the complete item value. In case ofthe old ABI, corosync prints an error. Now, corosync no longer aborts with longer names.

BZ#838524When corosync was running with the votequorum library enabled, votequorum's registerreloaded the configuration handler after each change in the configuration database (confdb).This caused corosync to run slower and to eventually encounter an Out Of Memory error. Afterthis update, a register callback is only performed during startup. As a result, corosync no longerslows down or encounters an Out Of Memory error.

BZ#84 8210Prior to this update, the corosync-notifyd output was considerably slow and corosyncmemory grew when D-Bus output was enabled. Memory was not freed when corosync-notifydwas closed. This update modifies the corosync-notifyd event handler not to wait when thereis nothing to receive and send from or to D-Bus. Now, corosync frees memory when the IPCclient exits and corosync-notifyd produces output in speed of incoming events.

BZ#830799Previously, the node cluster did not correspond with the CPG library membership. Consequently,the nodes were recognized as unknown, and corosync warning messages were not returned.A patch with an enhanced log from CPG has been provided to fix this bug. Now, the nodes workwith CPG correctly, and appropriate warning messages are returned.

BZ#902397Due to a regression, the corosync utility did not work with IPv6, which caused the networkinterface to be down. A patch has been provided to fix this bug. Corosync now works with IPv6as expected, and the network interface is up.

BZ#838524When corosync was running with the votequorum library enabled, votequorum's registerreloaded the configuration handler after each change in the configuration database (confdb).This caused corosync to run slower and to eventually encounter an Out Of Memory error. Afterthis update, a register callback is only performed during startup. As a result, corosync no longerslows down or encounters an Out Of Memory error.

BZ#865039Previously, during heavy cluster operations, one of the nodes failed sending numerous of thefollowing messages to the syslog file:

dlm_controld[32123]: cpg_dispatch error 2

A patch has been applied to address this issue.

BZ#850757Prior to this update, corosync dropped ORF tokens together with memb_join packets whenusing CPU timing on certain networks. As a consequence, the RRP interface could be wronglymarked as faulty. This update drops only memb_join messages.


112







BZ#861032Prior to this update, the corosync.conf parser failed if the ring number was larger than theallowed maximum of 1. As a consequence, corosync could abort with a segmentation fault.This update adds a check to the corosync.conf parser. Now, an error message is printed ifthe ring number is larger than 1.

BZ#86394 0Prior to this update, corosync stopped on multiple nodes. As a consequence, corosync could,under certain circumstances, abort with a segmentation fault. This update ensures that thecorosync service no longer calls callbacks on unloaded services.

BZ#869609Prior to this update, corosync could abort with a segmentation fault when a large number ofcorosync nodes were started together. This update modifies the underlying code to ensure thatthe NULL pointer is not dereferenced. Now, corosync no longer encounters segmentationfaults when starting multiple nodes at the same time.

BZ#876908Prior to this update, the parsercorosync-objctl command with additional parameters couldcause the error "Error reloading DB 11". This update removes the reloading function andhandles changes of changed objects in the configuration data base (confdb). Now, the logginglevel can be changed as expected.

BZ#873059Several typos in the corosync(8) manual page have been fixed. Also, manual pages forconfdb_* functions have been added.

Enhancements

BZ#7704 55With this update, the corosync log includes the hostname and the process ID of the processesthat join the cluster to allow for better troubleshooting.

BZ#794 522This update adds the manual page confdb_keys.8 to provide descriptions for corosyncruntime statistics that are returned by corosync-objctl.

BZ#83874 3This update adds the new trace level to filter corosync flow messages to improve debugging.

Users of corosync are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.


113








6.31. cpuspeed

6.31.1. RHBA-2013:0490 — cpuspeed bug fix updateUpdated cpuspeed packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The cpuspeed packages contain a daemon that dynamically changes speed of processors dependingupon their current workload. This package also supports enabling CPU frequency scaling via in-kernelCPUfreq governors on Intel Centrino and AMD Athlon64/Opteron platforms.

Bug Fix

BZ#876738Previously, the cpuspeed daemon used a naive method of getting the highest available scalingfrequency. Consequently, on certain platforms, cpuspeed did not set the CPU to the correctmaximum limit. A patch has been provided to address this issue and cpuspeed now sets themaximum speed correctly.

Users of cpuspeed are advised to upgrade to these updated packages, which fix this bug.

6.31.2. RHBA-2012:1404 — cpuspeed bug fix updateUpdated cpuspeed packages that fix four bugs are now available for Red Hat Enterprise Linux 6.

The cpuspeed packages provide a daemon to manage the CPU frequency scaling.

Bug FixesBZ#64 2838

Prior to this update, the PCC driver used the “userspace” governor was loaded instead of the“ondemand” governor when loading. This update modifies the init script to also check the PCCdriver.

BZ#7384 63Prior to this update, the cpuspeed init script tried to set cpufrequency system files on a per corebasis which was a deprecated procedure. This update sets thresholds globally.

BZ#616976Prior to this update, the cpuspeed tool did not reset MIN and MAX values, when theconfiguration file was emptied. As a consequence, the MIN_SPEED or MAX_SPEED values werenot reset as expected. This update adds conditionals in the init script to check these values.Now, the MIN_SPEED or MAX_SPEED values are reset as expected.

BZ#797055Prior to this update, the init script did not handle the IGNORE_NICE parameter as expected. Asa consequence, "-n" was added to command options when the IGNORE_NICE parameter wasset. This update modifies the init script to stop adding the NICE option when using theIGNORE_NICE parameter.

All users of cpuspeed are advised to upgrade to these updated packages, which fix these bugs.


114





6.32. crash

6.32.1. RHBA-2013:0317 — crash bug fix and enhancement updateUpdated crash packages that fix several bugs and add various enhancements are now available for RedHat Enterprise Linux 6.

The crash packages provide a self-contained tool that can be used to investigate live systems, andkernel core dumps created from the netdump, diskdump, kdump, and Xen/KVM "virsh dump" facilitiesfrom Red Hat Enterprise Linux.


The crash packages have been upgraded to upstream version 6.1.0, which provides a number ofbug fixes and enhancements over the previous version. (BZ#840051)

Bug Fix

BZ#84 3093A recent time-keeping backport to the Red Hat Enterprise Linux 6 kernel caused the crash utilityto fail during initialization with the "crash: cannot resolve: xtime" error message. This updatemodifies crash to recognize and handle the time-keeping change in the kernel so that crashnow successfully starts up as expected.

Enhancements

BZ#739094The crash utility has been modified to support dump files in the firmware-assisted dump(fadump) format for the 64-bit PowerPC architecture.

BZ#834 260The "struct -o" option has been enhanced to accept a virtual address argument. If an addressargument is entered, the structure members are prepended by their virtual address.

BZ#834 276The "bt" command has been enhanced by adding new "-s" and "[-xd]" options that allowdisplaying symbol names plus their offset in each frame. The default behavior is unchangedwhere only the symbol name is displayed. The symbol offset is expressed in the default outputformat, which can be overridden using the "-x" (hexadecimal) or "-d" (decimal) options.

All users of crash are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.33. createrepo


115





6.33.1. RHBA-2013:0328 — createrepo bug fix and enhancement updateUpdated createrepo packages that fix several bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The createrepo packages contain the utility that generates a common metadata repository from adirectory of RPM packages.


The createrepo packages have been upgraded to upstream version 0.9.9, which provides anumber of bug fixes and enhancements over the previous version, including support formultitasking in the createrepo utility. This update also modifies the "--update" option to use theSQLite database instead of the XML files in order to reduce memory usage. (BZ#631989,BZ#716235)

Bug Fix

BZ#833350Previously, the createrepo utility ignored the "umask" command for files created in thecreaterepo cache directory. This behavior caused problems when more than one user wasupdating repositories. The bug has been fixed, and multiple users can now update repositorieswithout complications.

Enhancements

BZ#64 664 4It is now possible to use the "createrepo" command with both the "--split" and the "--pkglist"options simultaneously.

BZ#714 094It is now possible to remove metadata from the repodata directory using the modifyrepoprogram. This update also enhances updating of the existing metadata.

All users of createrepo are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.34. ctdb

6.34.1. RHBA-2013:0337 — ctdb bug fix updateUpdated ctdb packages that fix various bugs and are now available for Red Hat Enterprise Linux 6.

The ctdb packages provide a clustered database based on Samba's Trivial Database (TDB) used tostore temporary data.


116






The ctbd packages have been upgraded to upstream version 1.0.114.5, which provides a numberof bug fixes over the previous version. (BZ#838885)

Bug Fixes

BZ#758367While running ctdb on the GFS2 file system, ctdb could ban a stable node when another nodewas started or stopped. This bug has been fixed by the rebase and stable nodes get no longerbanned in the described scenario.

BZ#821715Previously, on the Glusterfs file system, the ctdb lock file and configuration files were shared.Consequently, the ctdbd daemon running on a node terminated unexpectedly when anothernode in the cluster was brought down. This bug has been fixed by the rebase and ctdbd nolonger crashes in the described scenario.

BZ#866670After removing a ctdb node, the "ctdb status" command reported the same number of nodes asbefore the node was removed. A patch has been provided to address this issue and "ctdbstatus" now returns an accurate number of nodes after a remove operation.

Users of ctdb are advised to upgrade to these updated packages, which fix these bugs.

6.35. curl

6.35.1. RHBA-2013:0393 — curl bug fix updateUpdated curl packages that fix several bugs and add various enhancements are now available for RedHat Enterprise Linux 6.

The curl packages provide the cURL utility for getting files from HTTP, FTP, FILE, LDAP, LDAPS, DICT,TELNET, and TFTP servers, using any of the supported protocols. This utility offers many usefulcapabilities, such as proxy support, user authentication, FTP upload, HTTP post, and file transferresume.

Bug Fixes

BZ#74 1935The libssh2 library did not sufficiently reflect its ABI extensions in its version, whichprevented the RPM dependency scanner from adding the correct dependency of libcurl onan updated version of libssh2. Consequently, if the user updated libcurl without firstupdating libssh2, the update ended with incorrect linkage of libcurl and the user was thenunable to update libssh2 using yum. An explicit dependency of libcurl on an updateversion of libssh2 has been added and yum can now be used to update libcurl.

BZ#74 6629


117







Previously, libcurl required certificates loaded from files to have unique file base names dueto limitation of the legacy API of NSS (Network Security Services). Some packages using libcurl did not fulfil this requirement and caused nickname collisions within NSS. Now, libcurl has been modified to use a newer API of NSS, which does not suffer from thislimitation, and packages using libcurl are now allowed to load certificates from files withunrestricted file names.

BZ#813127Previously, libcurl misinterpreted the Content-Length HTTP header when receiving datausing the chunked encoding. Consequently, libcurl failed to read the last chunk of data andthe transfer terminated prematurely. An upstream patch has been applied to fix the handling ofthe header and the chunked encoding in libcurl now works as expected.

BZ#84 1905A sub-optimally chosen identifier in cURL source files clashed with an identifier from a publicheader file introduced in a newer version of libssh2, which prevented the curl package from asuccessful build. An upstream patch has been applied on cURL source files, which fixes theidentifier collisions and the package now builds as expected.

BZ#7384 56The OpenLDAP suite was recently modified to use NSS instead of OpenSSL as the SSL backend. This change led to collisions between libcurl and OpenLDAP on NSS initialization andshutdown. Consequently, applications that were using both libcurl and OpenLDAP failed toestablish SSL connections. This update modifies libcurl to use the same NSS API asOpenLDAP, which prevents collisions from occurring. Applications using OpenLDAP and libcurl can now connect to the LDAP server over SSL as expected.

BZ#719938As a solution to a security issue, GSSAPI credential delegation was disabled, which broke thefunctionality of applications that were relying on delegation, incorrectly enabled by libcurl. To fixthis issue, the CURLOPT_GSSAPI_DELEGATION libcurl option has been introduced inorder to enable delegation explicitly when applications need it. All applications using GSSAPIcredential delegation can now use this new libcurl option to be able to run properly.

BZ#77264 2SSL connections could not be established with libcurl if the selected NSS database wasbroken or invalid. This update modifies the code of libcurl to initialize NSS without a validdatabase, which allows applications to establish SSL connections as expected.

BZ#873789Previously, libcurl incorrectly checked return values of the SCP/SFTP write functionsprovided by libssh2. Negative values returned by those functions were treated as negativedownload amounts, which caused applications to terminate unexpectedly. With this update, allnegative values are treated as errors and as such are properly handled on the libcurl level,thus preventing the crashes.

BZ#879592


118







Prior to this update, libcurl used an obsolete libssh2 API for uploading files over the SCPprotocol, which limited the maximum size of files being transferred on 32-bit architectures.Consequently, the 32-bit packages of libcurl were unable to transfer large files over SCP.With this update, a new libssh2 API for SCP uploads is used, which does not suffer from thislimitation, thus fixing this bug.

Enhancements

BZ#676596Previously, libcurl provided only HTTP status codes in error messages when reportingHTTP errors. This could confuse users not familiar with HTTP. Now, libcurl has beenimproved to include the HTTP reason phrase in error messages, thus providing moreunderstandable output.

BZ#7304 4 5This update introduces a new option, --delegation, which enables Kerberos credentialdelegation in cURL.

Users of curl are advised to upgrade to these updated packages, which fix these bugs and add theseenhancements.

6.36. cvs

6.36.1. RHBA-2012:1302 — cvs bug fix updateAn updated cvs package that fixes two bugs is now available for Red Hat Enterprise Linux 6.

[Update 19 November 2012] The file list of this advisory was updated to move the new cvs-inetdpackage from the base repository to the optional repository in the Client and HPC Node variants. Nochanges have been made to the packages themselves.

The Concurrent Versions System (CVS) is a version control system that can record the history of yourfiles. CVS only stores the differences between versions, instead of every version of every file you haveever created. CVS also keeps a log of who, when, and why changes occurred.

BZ#67114 5Prior to this update, the C shell (csh) did not set the CVS_RSH environment variable to "ssh"and the remote shell (rsh) was used instead when the users accessed a remote CVS server.As a consequence, the connection was vulnerable to attacks because the remote shell is notencrypted or not necessarily enabled on every remote server. The cvs.csh script now usesvalid csh syntax and the CVS_RSH environment variable is properly set at log-in.

BZ#695719Prior to this update, the xinetd package was not a dependency of the cvs package. As a result,the CVS server was not accessible through network. With this update, the cvs-inetd package,which contains the CVS inetd configuration file, ensures that the xinetd package is installed asa dependency and the xinetd daemon is available on the system.


119






All users of cvs are advised to upgrade to these updated packages, which fix these bugs.

6.37. dash

6.37.1. RHBA-2012:1381 — dash bug fix updateUpdated dash packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The dash packages provide the POSIX-compliant Debian Almquist shell intended for small media likefloppy disks.

Bug FixBZ#70614 7

Prior to this update, the dash shell was not an allowed login shell. As a consequence, userscould not log in using the dash shell. This update adds the dash to the /etc/shells list of allowedlogin shells when installing or upgrading dash package and removes it from the list whenuninstalling the package. Now, users can login using the dash shell.

All users of dash are advised to upgrade to these updated packages, which fix this bug.

6.38. device-mapper-multipath

6.38.1. RHBA-2013:0458 — device-mapper-multipathUpdated device-mapper-multipath packages that fix numerous bugs and add various enhancements arenow available for Red Hat Enterprise Linux 6.

The device-mapper-multipath packages provide tools for managing multipath devices using the device-mapper multipath kernel module.

Bug Fixes

BZ#578114When the kpartx tool tried to delete a loop device that was previously created, and the udevutility had this loop device still open, the delete process would fail with the EBUSY error and kpartx did not attempt retry this operation. The kpartx tool has been modified to wait for onesecond and then retry deleting up to three times after the EBUSY error. As a result, loop devicescreated by kpartx are now always deleted as expected.

BZ#595692The multipathd daemon only checked SCSI IDs when determining World Wide Identifiers(WWIDs) for devices. However, CCISS devices do not support SCSI IDs and could not be usedby Device Mapper Multipath. With this update, multipathd checks CCISS devices forCCISS IDs properly and the devices are detected as expected.

BZ#810755Some device configurations in the /usr/share/doc/device-mapper-multipath-0.X.X/multipath.conf.defaults file were out of date. Consequently, if users copiedthose configurations into the /etc/multipath.conf file, their devices would be


120




misconfigured. The multipath.conf.defaults file has been updated and users can nowcopy configurations from it without misconfiguring their devices. Note that copyingconfigurations from the multipath.conf.defaults file is not recommended as theconfigurations in that file are built into dm-multipath by default.

BZ#810788Previously, Device Mapper Multipath stored multiple duplicate blacklist entries, which wereconsequently shown when listing the device-mapper-multipath's configuration. Device MapperMultipath has been modified to check for duplicates before storing configuration entries and tostore only the unique ones.

BZ#813963Device Mapper Multipath had two Asymmetric Logical Unit Access (ALUA) prioritizers, whichchecked two different values. Certain ALUA setups were not correctly failing back to the primarypath using either prioritizer because both values need to be checked and neither prioritizerchecked them both. With this update, configuration options of both ALUA prioritizers now selectthe same prioritizer function, which checks both values as expected.

BZ#816717When removing kpartx device partitions, the multipath -f option accepted only the devicename, not the full pathname. Consequently, an attempt to delete a mulitpath device by the fullpathname failed if the device had the kpartx partitions. Device Mapper Mulitpath has beenmodified to except the full pathname, when removing kpartx device partitions and deletingprocess no longer fails in the described scenario.

BZ#821885Previously, the multipath -c option incorrectly listed SCSI devices, which were blacklisted bydevice type, as valid mulitpath path devices. As a consequence, Device Mapper Multipathcould remove the partitions from SCSI devices that never ended up getting multipathed. Withthis update, multipath -c now checks if a SCSI device is blacklisted by device type, andreports it as invalid if it is.

BZ#822389On reload, if a multipath device was not set to use the user_friendly_names parameter or auser-defined alias, Device Mapper Multipath would use its existing name instead of settingthe WWID. Consequently, disabling user_friendly_names did not cause the multipath devicenames to change back to WWIDs on reload. This bug has been fixed and Device MapperMulitpath now sets the device name to its WWID if no user_friendly_names or user definedaliases are set. As a result, disabling user_friendly_names now allows device names toswitch back to WWIDs on reload.

BZ#829065When the Redundant Disk Array Controller (RDAC) checker returned the DID_SOFT_ERRORerror, Device Mapper Multipath did not retry running the RDAC checker. This behaviorcaused Device Mapper Multipath to fail paths for transient issues that may have beenresolved if it retried the checker. Device Mapper Multipath has been modified to retry theRDAC checker if it receives the DID_SOFT_ERROR error and no longer fails paths due to thiserror.


121



BZ#83104 5When a multipath vector, which is a dynamically allocated array, was shrunk, Device MapperMultipath was not reassigning the pointer to the array. Consequently, if the array location waschanged by the shrinking, Device Mapper Multipath would corrupt its memory withunpredictable results. The underlying source code has been modified and Device MapperMultipath now correctly reassigns the pointer after the array has been shrunk.

BZ#836890Device Mapper Multipath was occasionally assigning a WWID with a white space for AIXVDASD devices. As a consequence, there was no single blacklist of WWID entry that couldblacklist the device on all machines. With this update, Device Mapper Multipath assignsWWIDs without any white space characters for AIX VDASD devices, so that all machines assignthe same WWID to an AIX VDASD device and the user is always able to blacklist the device onall machines.

BZ#84 1732If two multipath devices had their aliases swapped, Device Mapper Multipath switched theirtables. Consequently, if the user switched aliases on two devices, any application using thedevice would be pointed to the incorrect Logical Unit Number (LUN). Device MapperMultipath has been modified to check if the device's new alias matches a different multipathdevice, and if so, to not switch to it.

BZ#86074 8Previously, Device Mapper Multipath did not check the device type and WWID blacklists assoon as this information was available for a path device. Device Mapper Multipath has beenmodified to check the device type and WWID blacklists as soon as this information is available.As a result, Device Mapper Multipath no longer waits before blacklisting invalid paths.

BZ#869253Previously, the multipathd daemon and the kpartx tool did not instruct the libdevmapperutility to skip the device creation process and let udev create it. As a consequence, sometimes libdevmapper created a block device in the /dev/mapper/ directory, and sometimes udevcreated a symbolic link in the same directory. With this update, multipathd and kpartxprevent libdevmapper from creating a block device and udev always creates a symbolic linkin the /dev/mapper/ directory as expected.

Enhancements

BZ#619173This enhancement adds a built-in configuration for SUN StorageTek 6180 to Device MapperMultipath.

BZ#7354 59To set up persistent reservations on multipath devices, it was necessary to set it up on all ofthe path devices. If a path device was added later, the user had to manually add reservations tothat path. This enhancement adds the ability to set up and manage SCSI persistent


122




reservations using device-mapper devices with the mpathpersist utility. As a result, whenpath devices are added, persistent reservations are set up as well.

BZ#810989This enhancement updates the multipathd init script to load the dm-multipathdmodule, so that users do not have to do this manually in cases when no /etc/multipath.conf file is present during boot. Note that it is recommended to create the multipath.conf file by running the mpathconf --enable command, which also loads thedm-multipath module.

BZ#818367When the RDAC path device is in service mode, it is unable to handle I/O requests. With thisenhancement, Device Mapper Multipath puts an RDAC path device into a failed state if it isin the service mode.

BZ#839386This update adds two new options to the defaults and devices sections of the multipath.conf file; the retain_attached_hw_hander option and the detect_priooption. By default, both of these options are set to no in the defaults section of the multipath.conf file. However, they are set to yes in the NETAPP/LUN device configurationfile. If retain_attach_hw_handler is set to yes and the SCSI layer has attached ahardware handler to the device, Device Mapper Multipath sets the hardware as usual. If detect_prio is set to yes, Device Mapper Multipath will check if the device supportsALUA. If so, it automatically sets the prioritizer to the alua value. If the device does not supportALUA, Device Mapper Multipath sets the prioritizer as usual. This behavior allows NETAPPdevices to work in ALUA or non-ALUA mode without making users change to built-in config.

In order for retain_attached_hw_handler to work, the SCSI layer must have alreadyattached the device handler. To do this, the appropriate scsi_dh_XXX module, for instance scsi_dh_alua, must be loaded before the SCSI layer discovers the devices. To guaranteethis, add the following parameter to the kernel command line:

rdloaddriver=scsi_dh_XXX

6.39. dhcp

6.39.1. RHSA-2013:0504 — Low: dhcp security and bug fix updateUpdated dhcp packages that fix one security issue and two bugs are now available for Red HatEnterprise Linux 6.


The dhcp packages provide the Dynamic Host Configuration Protocol (DHCP) that allows individualdevices on an IP network to get their own network configuration information, including an IP address, asubnet mask, and a broadcast address.


123


Security Fix

CVE-2012-3955A flaw was found in the way the dhcpd daemon handled the expiration time of IPv6 leases. Ifdhcpd's configuration was changed to reduce the default IPv6 lease time, lease renewalrequests for previously assigned leases could cause dhcpd to crash.

Bug Fixes

BZ#80354 0Prior to this update, the DHCP server discovered only the first IP address of a network interfaceif the network interface had more than one configured IP address. As a consequence, the DHCPserver failed to restart if the server was configured to serve only a subnet of the following IPaddresses. This update modifies network interface addresses discovery code to find alladdresses of a network interface. The DHCP server can also serve subnets of otheraddresses.

BZ#824 622Prior to this update, the dhclient rewrote the /etc/resolv.conf file with backup data after it wasstopped even when the PEERDNS flag was set to "no" before shut down if the configuration filewas changed while the dhclient ran with PEERDNS=yes. This update removes the backing upand restoring functions for this configuration file from the dhclient-script. Now, the dhclient nolonger rewrites the /etc/resolv.conf file when stopped.

All users of DHCP are advised to upgrade to these updated packages, which fix these issues. Afterinstalling this update, all DHCP servers will be restarted automatically.

6.40. dnsmasq

6.40.1. RHSA-2013:0277 — Moderate: dnsmasq security, bug fix andenhancement updateUpdated dnsmasq packages that fix one security issue, one bug, and add various enhancements arenow available for Red Hat Enterprise Linux 6.


The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder andDHCP (Dynamic Host Configuration Protocol) server.

Security Fix

CVE-2012-34 11It was discovered that dnsmasq, when used in combination with certain libvirtd configurations,could incorrectly process network packets from network interfaces that were intended to beprohibited. A remote, unauthenticated attacker could exploit this flaw to cause a denial ofservice via DNS amplification attacks.


124






In order to fully address this issue, libvirt package users are advised to install updated libvirt packages.Refer to RHSA-2013:0276 for additional information.

Bug Fix

BZ#815819Due to a regression, the lease change script was disabled. Consequently, the "dhcp-script"option in the /etc/dnsmasq.conf configuration file did not work. This update corrects the problemand the "dhcp-script" option now works as expected.

Enhancements

BZ#824 214Prior to this update, dnsmasq did not validate that the tftp directory given actually existed andwas a directory. Consequently, configuration errors were not immediately reported on startup.This update improves the code to validate the tftp root directory option. As a result, fault findingis simplified especially when dnsmasq is called by external processes such as libvirt.

BZ#85094 4The dnsmasq init script used an incorrect Process Identifier (PID) in the "stop", "restart", and"condrestart" commands. Consequently, if there were some dnsmasq instances runningbesides the system one started by the init script, then repeated calling of "service dnsmasq"with "stop" or "restart" would kill all running dnsmasq instances, including ones not started withthe init script. The dnsmasq init script code has been corrected to obtain the correct PID whencalling the "stop", "restart", and "condrestart" commands. As a result, if there are dnsmasqinstances running in addition to the system one started by the init script, then by calling "servicednsmasq" with "stop" or "restart" only the system one is stopped or restarted.

BZ#887156When two or more dnsmasq processes were running with DHCP enabled on one interface,DHCP RELEASE packets were sometimes lost. Consequently, when two or more dnsmasqprocesses were running with DHCP enabled on one interface, releasing IP addressessometimes failed. This update sets the SO_BINDTODEVICE socket option on DHCP sockets ifrunning dnsmasq with DHCP enabled on one interface. As a result, when two or more dnsmasqprocesses are running with DHCP enabled on one interface, they can release IP addresses asexpected.

All users of dnsmasq are advised to upgrade to these updated packages, which fix these issues andadd these enhancements.

6.41. docbook-utils

6.41.1. RHBA-2012:1321 — docbook-utils bug fix updateUpdated docbook-utils packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The docbook-utils packages provide a set of utility scripts to convert and analyze SGML documents ingeneral, and DocBook files in particular. The scripts are used to convert from DocBook or other SGML


125



formats into file formats like HTML, man, info, RTF and many more.

Bug Fix

BZ#639866Prior to this update, the Perl script used for generating manpages contained a misprint in theheader. As a consequence, the header syntax of all manual pages that docbook-utils built waswrong. This update corrects the script. Now the manual page headers have the right syntax.

All users of docbook-utils are advised to upgrade to these updated packages, which fix this bug.

6.42. dovecot

6.42.1. RHSA-2013:0520 — Low: dovecot security and bug fix updateUpdated dovecot packages that fix three security issues and one bug are now available for Red HatEnterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. CommonVulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available foreach vulnerability from the CVE link(s) associated with each description below.

Dovecot is an IMAP server, written with security primarily in mind, for Linux and other UNIX-like systems.It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQLdrivers and authentication plug-ins are provided as sub-packages.

Security Fixes

CVE-2011-2166, CVE-2011-2167Two flaws were found in the way some settings were enforced by the script-login functionalityof Dovecot. A remote, authenticated user could use these flaws to bypass intended accessrestrictions or conduct a directory traversal attack by leveraging login scripts.

CVE-2011-4 318A flaw was found in the way Dovecot performed remote server identity verification, when it wasconfigured to proxy IMAP and POP3 connections to remote hosts using TLS/SSL protocols. Aremote attacker could use this flaw to conduct man-in-the-middle attacks using an X.509certificate issued by a trusted Certificate Authority (for a different name).

Bug Fix

BZ#697620When a new user first accessed their IMAP inbox, Dovecot was, under some circumstances,unable to change the group ownership of the inbox directory in the user's Maildir location tomatch that of the user's mail spool (/var/mail/$USER). This correctly generated an "Internalerror occurred" message. However, with a subsequent attempt to access the inbox, Dovecotsaw that the directory already existed and proceeded with its operation, leaving the directorywith incorrectly set permissions. This update corrects the underlying permissions setting error.When a new user now accesses their inbox for the first time, and it is not possible to set groupownership, Dovecot removes the created directory and generates an error message instead of


126

http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=639866





keeping the directory with incorrect group ownership.

Users of dovecot are advised to upgrade to these updated packages, which contain backported patchesto correct these issues. After installing the updated packages, the dovecot service will be restartedautomatically.

6.43. dracut

6.43.1. RHBA-2013:0436 — dracut bug fix and enhancement updateUpdated dracut packages that fix several bugs and add two enhancements are now available for RedHat Enterprise Linux 6.

The dracut packages include an event-driven initramfs generator infrastructure based on the udevdevice manager. The virtual file system, initramfs, is loaded together with the kernel at boot time andinitializes the system, so it can read and boot from the root partition.

Bug Fixes

BZ#83564 6Previously, dracut could not handle uppercase MAC addresses for the PXE "BOOTIF="parameter. As a consequence, a machine with a dracut generated initramfs could not boot overthe network, when the "BOOTIF=" parameter contained uppercase MAC addresses. With thisupdate, dracut converts internally the MAC addresses to lowercase. Now, a machine with adracut generated initramfs can boot over the network successfully when the "BOOTIF="parameter contains uppercase MAC addresses.

BZ#831338Previously, the default mount option of the /proc/ directory during boot up was "mount -t proc -onosuid,noexec,nodev proc/proc". This resulted in inaccessible device nodes in the /proc/directory for some kernel drivers. The default mount option of the /proc directory has beenchanged to "mount -t proc proc /proc" and all kernel modules now load successfully.

BZ#794 751Previously, dracut could not use the Internet Small Computer System Interface (iSCSI) anddmsquash-live module together. As a consequence, it was not possible to boot from a livemedium over iSCSI. After this update, a dracut-generated initramfs, which contains the iSCSIand dmsquash-live modules, is able to boot a live medium via iSCSI. This can be done using thekernel command "root=live:LABEL=<partition-or-iso-label> netroot=iscsi: ".

BZ#813057Previously, the new Brocade switch firmware took longer to complete the BCBx negotiation anda dracut-generated initramfs did not wait long enough for the DCBx negotiation. Now, theinitramfs sleeps for three seconds after loading the "802q" kernel module and the DCBxnegotiation with the new Brocade switch firmware completes successfully.

BZ#84 3105When using the "live_ram" parameter for booting from live media, the dracut-generated initramfsejected the medium. After this action, a reboot caused the machine to not boot from the medium


127




again, even if it was intended. After this update, dracut honors the "no_eject" kernel command-line parameter. Now, if "no_eject" is given on the kernel command-line, the dracut-generatedinitramfs no longer ejects the live medium after copying it to the RAM.

BZ#8504 93In FIPS mode, the kernel image has to be validated by a checksum. The sha512hmac tool readsthe absolute path of the file to check from the checksum file. Previously, if "/boot" was not on aseparate file system, dracut mounted the root file system to "/sysroot". The "/sysroot/boot"partition was not accessible with the "/boot" path and the sha512hmac tool could not accessthe file in "/boot" to check for. The check failed and the boot process was cancelled.Consequently, the boot processes did not succeed in FIPS mode if "/boot" was not on aseparate file system. Now, dracut creates a symbolic link from the "/sysroot/boot" partition tothe "/boot" partition in the initramfs and the sha512hmac tool can check the kernel image andthe machine can continue booting, if the check was successful.

BZ#890081Previously, the kernel module "scsi_dh_alua" was not included in the initramfs and as aconsequence, "scsi_dh_alua" could not be preloaded via the "rdloaddriver" kernel command.The "scsi_dh_alua" kernel module is now included in the initramfs and "scsi_dh_alua" can bepreloaded successfully using "rdloaddriver".

BZ#854 4 16Previously, dracut did not strip the kernel modules as mentioned in the man page.Consequently, initramfs size grew very big if the customer had kernel modules with a lot ofdebug info. The dracut utility now strips the kernel modules, except when in FIPS mode, and asa result, the initramfs size is smaller and can be loaded on machines with small memory.

Enhancements

BZ#823507Documentation for the "rd_retry=" boot option has been added to the dracut(8) man page.

BZ#858187The dracut utility can now boot from iSCSI on a network with virtual LANs configured, where thevirtual LAN settings are stored in the iSCSI Boot Firmware Table BIOS.

Users of dracut are advised to upgrade to these updated packages, which fix these bugs and add theseenhancements.

6.44. dropwatch

6.44.1. RHBA-2012:1182 — dropwatch bug fix updateUpdated dropwatch packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The dropwatch package contains a utility that provides packet monitoring services.


128




Bug FixBZ#7254 64

Prior to this update, the dropwatch utility could become unresponsive because it was waiting fora deactivation acknowledgement to be issued by an already deactivated or stopped service.With this update, dropwatch detects an attempt to deactivate/stop an alreadydeactivated/stopped service and no longer hangs.

All users of dropwatch are advised to upgrade to these updated packages, which fix this bug.

6.45. dvd+rw-tools

6.45.1. RHBA-2012:1320 — dvd+rw-tools bug fix updateUpdated dvd+rw-tools packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The dvd+rw-tools packages contain a collection of tools to master DVD+RW/+R media.

BZ#8074 74Prior to this update, the growisofs utility wrote chunks of 32KB and reported an error during thelast chunk when burning ISO image files that were not aligned to 32KB. This update allows thewritten chunk to be smaller than a multiple of 16 blocks.

All users of dvd+rw-tools are advised to upgrade to these updated packages, which fix this bug.

6.46. e2fsprogs

6.46.1. RHBA-2013:0455 — e2fsprogs bug fix updateUpdated e2fsprogs packages that fix several bugs and add one enhancement are now available for RedHat Enterprise Linux 6.

The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correctingany inconsistencies in the ext2 file systems.

Bug Fixes

BZ#806137On a corrupted file system, the "mke2fs -S" command could remove files instead of attemptingto recover them. This bug has been fixed; the "mke2fs -S" command writes metadata properlyand no longer removes files instead of recovering them.

BZ#813820The resize2fs(8) man page did not list an ext4 file system as capable of on-line resizing. Thisomission has been fixed and the resize2fs(8) man page now includes all file systems that canbe resized on-line.

BZ#858338A special flag was used to indicate blocks allocated beyond the end of file on an ext4 file


129




system. This flag was sometimes mishandled, resulting in file system corruption. Both thekernel and user space have been reworked to eliminate the use of this flag.

Enhancement

BZ#824 126Previously, users could use the e2fsck utility on a mounted file system, although it was stronglyrecommended not to do so. Using the utility on a mounted file system led to file systemcorruption. With this update, e2fsck opens the file system exclusively and fails when the filesystem is busy. This behavior avoids possible corruption of the mounted file system.

Users of e2fsprogs are advised to upgrade to these updated packages, which fix these bugs and addthis enhancement

6.47. eclipse-nls

6.47.1. RHBA-2013:0357 — eclipse-nls bug fix and enhancement updateUpdated eclipse-nls packages that fix multiple bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The eclipse-nls packages provide Native Language Support langpacks for the Eclipse IDE that containtranslations into many languages.


The clipse-nls packages have been upgraded to upstream version 3.6.0.v20120721114722,which updates the language packs and provides a number of bug fixes and enhancements overthe previous version. (BZ#692358)

All users of eclipse-nls are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.48. environment-modules

6.48.1. RHBA-2013:0316 — environment-modules bug fix updateUpdated environment-modules packages that fix several bugs are now available for Red Hat EnterpriseLinux 6.

The environment-modules packages provide for the dynamic modification of a user's environment usingmodulefiles. Each modulefile contains the information needed to configure the shell for an application.Once the package is initialized, the environment can be modified on a per-module basis using themodule command which interprets modulefiles.


130





The environment-modules package has been upgraded to upstream version 3.2.9c, whichprovides a number of bug fixes over the previous version. (BZ#765630)

Bug Fixes

BZ#818177Due to an error in the Tcl library, some allocated pointers were invalidated inside the library.Consequently, running the "module switch" command in the tcsh shell led to a segmentationfault. The bug has been fixed and the system memory is now allocated and pointed to correctly.

BZ#84 8865Previously, the /usr/share/Modules/modulefiles/modules file contained an incorrect path.Consequently, an error occurred when the "module load modules" command was executed.With this update, the incorrect path has been replaced and the described error no longeroccurs.

All users of environment-modules are advised to upgrade to these updated packages, which fix thesebugs.

6.49. espeak

6.49.1. RHBA-2012:1118 — espeak bug fix updateUpdated espeak packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The espeak packages contain a software speech synthesizer for English and other languages. eSpeakuses a "formant synthesis" method, which allows many languages to be provided in a small size.

Bug FixBZ#789997

Previously, eSpeak manipulated the system sound volume. As a consequence, eSpeak couldset the sound volume to maximum regardless of the amplitude specified. The sound volumemanagement code has been removed from eSpeak, and now only PulseAudio manages thesound volume.

All users of espeak are advised to upgrade to these updated packages, which fix this bug.

6.50. ethtool

6.50.1. RHBA-2013:0366 — ethtool bug fix and enhancement updateUpdated ethtool packages that fix multiple bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The ethtool utility allows the querying and changing of Ethernet adapter settings, such as port speed,


131




auto-negotiation, and device-specific performance options.


The ethtool packages have been upgraded to upstream version 3.5, which provides a number ofbug fixes and enhancements over the previous version. (BZ#819846)

All users of ethtool are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.51. evolution-data-server

6.51.1. RHBA-2013:0410 — evolution-data-server bug fix updateUpdated evolution-data-server packages that fix one bug are now available for Red Hat Enterprise Linux6.

The evolution-data-server packages provide a unified back end for applications which interact withcontacts, task and calendar information. Evolution Data Server was originally developed as a back endfor Evolution, but is now used by various other applications.

Bug Fix

BZ#734 04 8The CalDav calendar back end was converting Uniform Resource Identifiers (URIs) withunescaped space characters or the "%20" string to "%2520". As a consequence, renderingthe back end did not allow to contact the remote CalDav service that caused CalDav calendarsto be inaccessible. This bug has been fixed and evolution-data-server works correctly in thedescribed scenario.

All users of evolution-data-server are advised to upgrade to these updated packages, which fix this bug.

6.52. evolution

6.52.1. RHSA-2013:0516 — Low: evolution security and bug fix updateUpdated evolution packages that fix one security issue and three bugs are now available for Red HatEnterprise Linux 6.


Evolution is the GNOME mailer, calendar, contact manager and communication tool. The componentswhich make up Evolution are tightly integrated with one another and act as a seamless personalinformation-management tool.

Security Fix

CVE-2011-3201


132





The way Evolution handled mailto URLs allowed any file to be attached to the new message.This could lead to information disclosure if the user did not notice the attached file beforesending the message. With this update, mailto URLs cannot be used to attach certain files, suchas hidden files or files in hidden directories, files in the /etc/ directory, or files specified using apath containing "..".

Red Hat would like to thank Matt McCutchen for reporting this issue.

Bug Fixes

BZ#707526Creating a contact list with contact names encoded in UTF-8 caused these names to bedisplayed in the contact list editor in the ASCII encoding instead of UTF-8. This bug has beenfixed and the contact list editor now displays the names in the correct format.

BZ#805239Due to a bug in the evolution-alarm-notify process, calendar appointment alarms did not appearin some types of calendars. The underlying source code has been modified and calendarnotifications work as expected.

BZ#89064 2An attempt to print a calendar month view as a PDF file caused Evolution to terminateunexpectedly. This update applies a patch to fix this bug and Evolution no longer crashes inthis situation.

All evolution users are advised to upgrade to these updated packages, which contain backportedpatches to correct these issues. All running instances of Evolution must be restarted for this update totake effect.

6.53. fcoe-target-utils

6.53.1. RHBA-2013:0457 — fcoe-target-utils bug fix and enhancement updateUpdated fcoe-target-utils packages that fix multiple bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The fcoe-target-utils packages provide a command-line interface for configuring FCoE LUNs (FibreChannel over Ethernet Logical Unit Numbers) and backstores.

Bug Fixes

BZ#819698Prior to this update, stopping the fcoe-target daemon did not stop the target session whenrebooting. This update improves the fcoe-target script and the fcoe-target daemon can nowproperly shut down the kernel target.

BZ#824 227Prior to this update, a delay in the FCoE interface initialization sometimes resulted in the target


133






configuration not being loaded for that interface. This update permits target configuration forabsent interfaces, allowing target and interface configuration in any order.

BZ#837730Prior to this update, specifying a nonexistent backing file when creating a backstore resulted inthe unhelpful Python error "ValueError: No such path". This update reports the error in a morehelpful way.

BZ#837992Prior to this update, attempting to remove a storage object in a backstore resulted in a Pythonerror. This update fixes the problem and storage objects can now be removed as expected.

BZ#8384 4 2Prior to this update, attempting to redirect the output of targetcli resulted in a Python error. Thisupdate allows targetcli to be successfully redirected.

BZ#84 6670Due to a regression, creating a backstore resulted in a Python error. This update allowsbackstore creation without error.

Enhancements

BZ#828096Prior to this update, backstore size listing abbreviations did not clearly specify between powerof 10 (for example Gigabyte) and power of 2 (Gibibyte). This update lists backstore sizes usingpower-of-2 sizes and labels them as such.

BZ#828681The caching characteristics of backstores are now exposed via the SCSI Write Cache Enable(WCE) bit to initiators, instead of being set opaquely via the "buffered-mode" backstore setting.The default setting for WCE is "on".

All users of fcoe-target-utils are advised to upgrade to these updated packages, which fix these bugsand add these enhancements.

6.54. fcoe-utils

6.54.1. RHBA-2013:0412 — fcoe-utils bug fix and enhancement updateUpdated fcoe-utils packages that fix multiple bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The fcoe-utils packages provide Fibre Channel over Ethernet (FCoE) utilities, such as the fcoeadmcommand line tool for configuring FCoE interfaces, and the fcoemon service to configure DCB EthernetQOS filters.


134








The fcoe-utils packages have been upgraded to upstream version 1.0.24, which provides anumber of bug fixes and enhancements over the previous version.

Bug Fix

BZ#867117When turning off DCB on a Fibre Channel over Ethernet (FCoE) initiator interface connected toa Cisco Fibre Channel Forwarder (FCF), the fcoemon utility disabled the interface but the FCoEinterface was re-enabled by a Netlink event before DCB was operational again. Consequently,the interface did not operate in degraded mode with LUNS present as expected and the outputof the "ip l" and "fcoeadm -i" commands was contradictory. A patch has been applied to thefcoemon utility to ensure DCB is operational again before enabling the FCoE interface when alink is brought up. In addition, a patch has been applied to fcoe-utils to improve error handlingand error messages related to creating and deleting of FCoE interfaces when DCB is not ready.

Enhancement

BZ#826291Support for VLAN notification with VLAN ID 0 has been added. If a VLAN notification has the tag"VLAN 0", the physical port will now be activated. The VLAN interface will not be created butFCoE will be started on the physical interface itself.

All users of fcoe-utils are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.55. febootstrap

6.55.1. RHBA-2013:0432 — febootstrap bug fix updateUpdated febootstrap packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The febootstrap packages provide a tool to create a basic Red Hat Enterprise Linux or Fedora filesystem, and build initramfs (initrd.img) or file system images.

Bug Fix

BZ#803962The "febootstrap-supermin-helper" program is used when opening a disk image using thelibguestfs API, or as part of virt-v2v conversion. Previously, this tool did not always handle the "-u" and "-g" options correctly when the host used an LDAP server to resolve user names andgroup names. This caused the virt-v2v command to fail when LDAP was in use. With thisupdate, the "febootstrap-supermin-helper" program has been modified to parse the "-u" and "-g" options correctly, so that virt-v2v works as expected in the described scenario.

Users of febootstrap are advised to upgrade to these updated packages, which fix this bug.


135


6.56. fence-agents

6.56.1. RHBA-2013:0540 — fence-agents bug fix updateUpdated fence-agents packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

Red Hat fence agents are a collection of scripts for handling remote power management for clusterdevices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster.

Bug Fixes

BZ#9084 09Previously, when fencing a Red Hat Enterprise Linux cluster node with the fence_soap_vmwarefence agent, the agent terminated unexpectedly with a traceback if it was not possible toresolve a hostname of an IP address. With this update, a proper error message is displayed inthe described scenario.

BZ#9084 01Due to incorrect detection on newline characters during an SSH connection, the fence_drac5agent could terminate the connection with a traceback when fencing a Red Hat Enterprise Linuxcluster node. Only the first fencing action completed successfully but the status of the nodewas not checked correctly. Consequently, the fence agent failed to report successful fencing.When the "reboot" operation was called, the node was only powered off. With this update, thenewline characters are correctly detected and the fencing works as expected.

All users of fence-agents are advised to upgrade to these updated packages, which fix these bugs.

6.56.2. RHBA-2013:0286 — fence-agents bug fix and enhancement updateUpdated fence-agents packages that fix multiple bugs and add four enhancements are now available forRed Hat Enterprise Linux 6.

The fence-agents packages provide the Red Hat fence agents to handle remote power management forcluster devices. The fence-agents allow failed or unreachable nodes to be forcibly restarted andremoved from the cluster.

Bug Fixes

BZ#769798The speed of fencing is critical because otherwise, broken nodes have more time to corruptdata. Prior to this update, the operation of the fence_vmware_soap fence agent was slowerthan expected when used on the VMWare vSphere platform with hundreds of virtual machines.With this update, the fencing process is faster and does not terminate if virtual machineswithout an UID are encountered.

BZ#822507Prior to this update, the attribute "unique" in XML metadata was set to TRUE (1) by default.This update modifies the underlying code to use FALSE (0) as the default value because fenceagents do not use these attributes.


136







BZ#825667Prior to this update, certain fence agents did not generate correct metadata output. As a result,it was not possible to use the metadata for automatic generation of manual pages and userinterfaces. With this update, all fence agents generate their metadata as expected.

BZ#84 2314Prior to this update, the fence_apc script failed to log into APC power switches where firmwarechanged the end-of-line marker from CR-LF to LF. This update modifies the script to log into afence device as expected.

BZ#863568Prior to this update, the fence_rhevm agent failed to run the regular expression get_id regexwhen using a new href attribute. As a consequence, the plug status was not available. Thisupdate modifies the underlying code to show the correct status either as ON or OFF.

Enhancements

BZ#74 0869This update adds the fence_ipdu agent to support IBM iPDU fence devices in Red HatEnterprise Linux 6.

BZ#7524 4 9This update adds the fence_eaton agent to support Eaton ePDU (Enclosure Power DistributionUnit) devices in Red Hat Enterprise Linux 6.

BZ#800650This update adds symlinks for common fence types that utilize standards-based agents in RedHat Enterprise Linux 6.

BZ#818337This update adds the fence_bladecenter agent to the fence-agents packages in Red HatEnterprise Linux 6 to support the --missing-as-off feature for the HP BladeSystem to handlemissing nodes as switched off nodes so that fencing can end successfully even if a blade ismissing.

BZ#837174This update supports action=metadata via standard input for all fence agents.

All users of fence-agents are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.57. fence-virt

6.57.1. RHBA-2013:0419 — fence-virt bug fix and enhancement update


137



Updated fence-virt packages that fix two bugs and add two enhancements are now available for Red HatEnterprise Linux 6.

The fence-virt packages provide a fencing agent for virtual machines as well as a host agent, whichprocesses fencing requests.

Bug Fixes

BZ#761228Previously, the fence_virt man page contained incorrect information in the"SERIAL/VMCHANNEL PARAMETERS" section. With this update, the man page has beencorrected.

BZ#853927Previously, the fence_virtd daemon returned an incorrect error code to the fence_virt agentwhen the virt domain did not exist. Consequently, the fence_node utility occasionally failed todetect fencing. With this update, the error codes have been changed and the described error nolonger occurs.

Enhancements

BZ#82354 2The "delay" (-w) option has been added to the fence_virt and fence_xvm fencing agents. Thedelay option can be used, for example, as a method of preloading a winner in a fence race in aCMAN cluster.

BZ#84 3104With this update, the documentation of the "hash" parameter in the fence_virt.conf file has beenimproved to notify that hash is the weakest hashing algorithm allowed for client requests.

All users of fence-virt are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.58. file

6.58.1. RHBA-2012:1339 — file bug fix updateUpdated file packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.

The "file" command is used to identify a particular file according to the type of data contained in the file.The command can identify various file types, including ELF binaries, system libraries, RPM packages,and different graphics formats.

Bug FixesBZ#7954 25

The file utility did not contain a "magic" pattern for detecting QED images and was therefore notable to detect such images. A new "magic" pattern for detecting QED images has been added,and the file utility now detects these images as expected.


138







BZ#795761The file utility did not contain a "magic" pattern for detecting VDI images and was therefore notable to detect such images. A new "magic" pattern for detecting VDI images has been added,and the file utility now detects these images as expected.

BZ#797784Previously, the file utility did not attempt to load "magic" patterns from the ~/.magic.mgc file,which caused "magic" patterns stored in this file to be unusable. This update modifies the fileutility so it now attempts to load the ~/.magic.mgc file. The file is loaded if it exists and "magic"patterns defined in this file work as expected.

BZ#801711Previously, the file utility used read timeout when decompressing files using the "-z" option. Asa consequence, the utility was not able to detect files compressed by the bzip2 tool. Theunderlying source code has been modified so that file no longer uses read timeout whendecompressing compressed files. Compressed files are now detected as expected when usingthe "-z" option.

BZ#859834Previously, the file utility contained multiple "magic" patterns to detect output of the "dump"backup tool. On big-endian architectures, the less detailed "magic" pattern was used andoutput of the file utility was inconsistent. The less detailed "magic" pattern has been removed,and only one, more detailed, "magic" pattern to detect "dump" output is used now.

All users of file are advised to upgrade to these updated packages, which fix these bugs.

6.59. firstboot

6.59.1. RHEA-2013:0488 — firstboot enhancement updateUpdated firstboot packages that add one enhancement are now available for Red Hat Enterprise Linux 6.

The firstboot utility runs after installation and guides the user through a series of steps that allows foreasier configuration of the machine.

Enhancement

BZ#831818Previously, the Firstboot utility allowed displaying only the English version of the End UserLicence Agreement (EULA), which could be problematic for users who do not understandEnglish. This update modifies Firstboot so that it uses the $LANG environment variable to findthe localized EULA file according to the language set during installation. If the EULA file in theselected language is not found, the default EULA file, which is in English, is used. Users cannow read the EULA document in the language chosen during installation before accepting it.

All users of firstboot are advised to upgrade to these updated packages, which add this enhancement.


139






6.60. ftp

6.60.1. RHBA-2012:1192 — ftp bug fix updateUpdated ftp packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The ftp package provides the standard UNIX command line File Transfer Protocol (FTP) client. FTP is awidely used protocol for transferring files over the Internet, and for archiving files.

Bug FixBZ#783868

Prior to this update, using the ftp command "put" when the stack size was set to unlimitedcaused the sysconf(_SC_ARG_MAX) function to return -1, which in turn resulted in the malloc()function being called with an argument of 0 and causing an "Out of memory" message to bedisplayed. With this update, the underlying source code has been improved to allocate areasonable minimum of memory. As a result, the "Out of memory" message no longer appears ifthe stack size was previously set to unlimited.

All users of ftp are advised to upgrade to these updated packages, which fix this bug.

6.60.2. RHBA-2012:1444 — ftp bug fix updateUpdated ftp packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The ftp packages provide the standard UNIX command line File Transfer Protocol (FTP) client. FTP is awidely used protocol for transferring files over the Internet, and for archiving files.

Bug FixesBZ#869858

Prior to this update, the ftp client could encounter a buffer overflow and aborted if a macrolonger than 200 characters was defined and then used after a connection. This updatemodifies the underlying code and the buffer that holds memory for the macro name wasextended. Now, ftp matches the length of the command line limit and the ftp client no longeraborts when a macro with a long name is executed.

All users of ftp are advised to upgrade to these updated packages, which fix this bug.

6.60.3. RHBA-2012:1354 — ftp bug fix updateUpdated ftp packages that fix four bugs are now available for Red Hat Enterprise Linux 6.

The ftp packages provide the standard UNIX command line File Transfer Protocol (FTP) client. FTP is awidely used protocol for transferring files over the Internet, and for archiving files.

Bug FixesBZ#665337

Previously, the command line width in the ftp client was limited to 200 characters. With thisupdate, the maximum possible length of the FTP command line is extended to 4296 characters.

BZ#786004Prior to this update, "append", "put", and "send" commands were causing system memory to


140




leak. The memory holding the ftp command was not freed appropriately. With this update, theunderlying source code has been improved to correctly free the system resources and thememory leaks are no longer present.

BZ#84 994 0Previously, the ftp client could not be invoked to run directly in the active mode. Thisfunctionality has been added to the source code and documented in the manual page. Theclient can now be executed with an additional "-A" command line parameter and will run in theactive mode.

BZ#852636Previously, the ftp client hung up when the ftp-data port (20) was not available (e.g. wasblocked). The client then had to be terminated manually. Additional logic has been added to thesource code. With this update, ftp has an internal timeout set to 30 seconds. If there is noanswer from the server when this time has passed, ftp will now gracefully time out and not hangup.

All users of ftp are advised to upgrade to these updated packages, which fix these bugs.

6.61. gawk

6.61.1. RHBA-2012:1146 — gawk bug fix updateUpdated gawk packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The gawk packages provide the GNU version of the text processing utility awk. Awk interprets a special-purpose programming language to do quick and easy text pattern matching and reformatting jobs.

Bug FixBZ#829558

Prior to this update, the "re_string_skip_chars" function incorrectly used the character countinstead of the raw length to estimate the string length. As a consequence, any text in multi-byteencoding that did not use the UTF-8 format failed to be processed correctly. This updatemodifies the underlying code so that the correct string length is used. multi-byte encoding isprocessed correctly.

All users of gawk requiring multi-byte encodings that do not use UTF-8 are advised to upgrade to theseupdated packages, which fix this bug.

6.62. gcc

6.62.1. RHBA-2013:0420 — gcc bug fix updateUpdated gcc packages that fix several bugs are now available for Red Hat Enterprise Linux 6.

The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well asrelated support libraries.


141




Bug Fixes

BZ#80114 4Due to the incorrect size of a pointer in GCC GNAT code, GNAT used an incorrect function ofthe libgcc library when compiling 32-bit Ada binaries on PowerPC architecture. Consequently,these programs could not be linked and the compilation failed. This update fixes the problem sothat the sizeof operator now returns the correct size of a pointer, and the appropriate functionfrom libgcc is called. GNAT compiles Ada binaries as expected in this scenario.

BZ#808590The Standard Template Library (STL) contained an incomplete move semantics implementation,which could cause GCC to generate incorrect code. The incorrect headers have been fixed sothat GCC now produce the expected code when depending on move semantics.

BZ#819100GCC did not, under certain circumstances, handle generating a CPU instruction sequence thatwould be independent of indexed addressing on PowerPC architecture. As a consequence, aninternal compiler error occurred if the "__builtin_bswap64" built-in function was called with the"-mcpu=power6" option. This update corrects the relevant code so that GCC now generates analternate instruction sequence that does not depend on indexed addressing in this scenario.

BZ#821901A bug in converting the exception handling region could cause an internal compiler error tooccur when compiling profile data with the "-fprofile-use" and "-freorder-basic-blocks-and-partition" options. This update fixes the erroneous code and the compilation of profile data nowproceeds as expected in this scenario.

BZ#826882Previously, GCC did not properly handle certain situations when an enumeration was type castusing the static_cast operator. Consequently, an enumeration item could have been assignedan integer value greater than the highest value of the enumeration's range. If the compiled codecontained testing conditions using such enumerations, those checks were incorrectly removedfrom the code during code optimization. With this update, GCC was modified to handleenumeration type casting properly and C++ now no longer removes the mentioned checks.

BZ#831832Previously, when comparing the trees equality, the members of a union or structure were nothandled properly in the C++ compiler. This led to an internal compiler error. This updatemodifies GCC so that unions and structures are now handled correctly and code that uses treeequality comparing is now compiled successfully.

BZ#867878GCC previously processed the "srak" instructions without the z196 flag, which enables acompiler to work with these instructions. Consequently, some binaries, such as Firefox, couldnot be compiled on IBM System z and IBM S/390 architectures. With this update, GCC has beenmodified to support the z196 flag for the srak instructions, and binaries requiring theseinstructions can now be compiled successfully on IBM System z and IBM S/390 architectures.


142



All users of gcc are advised to upgrade to these updated packages, which fix these bugs.

6.63. gdb

6.63.1. RHSA-2013:0522 — Moderate: gdb security and bug fix updateUpdated gdb packages that fix one security issue and three bugs are now available for Red HatEnterprise Linux 6.


The GNU Debugger (GDB) allows debugging of programs written in C, C++, Java, and other languagesby executing them in a controlled fashion and then printing out their data.

Security Fix

CVE-2011-4 355GDB tried to auto-load certain files (such as GDB scripts, Python scripts, and a threaddebugging library) from the current working directory when debugging programs. This couldresult in the execution of arbitrary code with the user's privileges when GDB was run in adirectory that has untrusted content.

Note

With this update, GDB no longer auto-loads files from the current directory and only trusts certainsystem directories by default. The list of trusted directories can be viewed and modified using the"show auto-load safe-path" and "set auto-load safe-path" GDB commands. Refer to the GDBmanual for further information:http://sourceware.org/gdb/current/onlinedocs/gdb/Auto_002dloading-safe-path.html#Auto_002dloading-safe-pathhttp://sourceware.org/gdb/current/onlinedocs/gdb/Auto_002dloading.html#Auto_002dloading

Bug Fixes

BZ#7954 24When a struct member was at an offset greater than 256 MB, the resulting bit position within thestruct overflowed and caused an invalid memory access by GDB. With this update, the codehas been modified to ensure that GDB can access such positions.

BZ#81164 8When a thread list of the core file became corrupted, GDB did not print this list but displayed the"Cannot find new threads: generic error" error message instead. With this update, GDB hasbeen modified and it now prints the thread list of the core file as expected.

BZ#836966GDB did not properly handle debugging of multiple binaries with the same build ID. This updatemodifies GDB to use symbolic links created for particular binaries so that debugging of binaries


143



http://sourceware.org/gdb/current/onlinedocs/gdb/Auto_002dloading-safe-path.html#Auto_002dloading-safe-path

http://sourceware.org/gdb/current/onlinedocs/gdb/Auto_002dloading.html#Auto_002dloading



that share a build ID now proceeds as expected. Debugging of live programs and core files isnow more user-friendly.

All users of gdb are advised to upgrade to these updated packages, which contain backported patchesto correct these issues.

6.64. gdm

6.64.1. RHBA-2013:0381 — gdm bug fix and enhancement updateUpdated gdm packages that fix four bugs and add two enhancements are now available for Red HatEnterprise Linux 6.

The gdm packages provide the GNOME Display Manager (GDM), which implements the graphical loginscreen, shown shortly after boot up, log out, and when user-switching.

Bug Fixes

BZ#616755Previously, the gdm_smartcard_extension_is_visible() function returned "TRUE" instead of the"ret" variable. Consequently, the smartcard login could not be disabled in the system-config-authentication window if the pcsd package was installed. With this update,gdm_smartcard_extension_is_visible() has been modified to return the correct value. As aresult, the described error no longer occurs.

BZ#704 24 5When GDM was used to connect to a host via XDMCP (X Display Manager Control Protocol),another connection to a remote system using the "ssh -X" command resulted in failedauthentication with the X server. Consequently, applications such as xterm could not bedisplayed on a remote system. This update provides a compatible MIT-MAGIC-COOKIE-1 key inthe described scenario, thus fixing this incompatibility.

BZ#7384 62Previously, X server audit messages were not included by default in the X server log. Now,those messages are unconditionally included in the log. Also, with this update, verbosemessages are added to the X server log if debugging is enabled in the /etc/gdm/custom.conf fileby setting "Enable=true" in the "debug" section.

BZ#820058Previously, after booting the system, the following message occurred in the /var/log/gdm/:0-greeter.log file:

gdm-simple-greeter[PID]: Gtk-WARNING: gtkwidget.c:5460: widget not within a GtkWindow

With this update, this warning is no longer displayed.

Enhancements


144



BZ#71964 7With this update, GDM has been modified to allow smartcard authentication when the visibleuser list is disabled.

BZ#834 303Previously, the GDM debugging logs were stored in the /var/log/messages file. With this update,a separate /var/log/gdm/daemon.log file has been established for these debugging logs.

All users of gdm are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.65. gd

6.65.1. RHBA-2012:1274 — gd bug fix updateUpdated gd packages that fix one bug is now available for Red Hat Enterprise Linux 6.

The gd packages provide the gd graphics library. GD allows code to draw images as PNG or JPEG files.

BZ#7904 00Prior to this update, ,the gd graphics library handled inverted Y coordinates incorrectly, whenchanging the thickness of a line. As a consequence, lines with changed thickness were drawnincorrectly. This update modifies the underlying code to draw lines with changed thicknesscorrectly.

All users of gd are advised to upgrade to these updated packages, which fix this bug.

6.66. geronimo-specs

6.66.1. RHBA-2012:1397 — geronimo-specs bug fix updateUpdated geronimo-specs packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The geronimo-specs packages provide the specifications for Apache's ASF-licenced J2EE serverGeronimo.

Bug FixBZ#818755

Prior to this update, the geronimo-specs-compat package description contained inaccuratereferences. This update removes these references so that the description is now accurate.

All users of geronimo-specs are advised to upgrade to these updated packages, which fix this bug.

6.67. glibc


145




6.67.1. RHBA-2013:0279 — glibc bug fix updateUpdated glibc packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.

The glibc packages provide the standard C and standard math libraries, which are used by multipleprograms on the system. These libraries are required for the Linux system to function correctly.

Bug Fixes

BZ#804 686Prior to this update, a logic error caused the DNS code of glibc to incorrectly handle rejectedresponses from DNS servers. As a consequence, additional servers in the /etc/resolv.conf file could not be searched after one server responded with a REJECT.This update modifies the logic in the DNS. Now, glibc cycles through the servers listed in /etc/resolv.conf even if one returns a REJECT response.

BZ#8064 04Prior to this update, the nss/getnssent.c file contained an unchecked malloc call and anincorrect loop test. As a consequence, glibc could abort unexpectedly. This update modifiesthe malloc call and the loop test.

BZ#809726Prior to this update, locale data for the characters in the range a-z were incorrect in the Finnishlocale. As a consequence, some characters in the range a-z failed to print correctly in theFinnish locale. This update modifies the underlying code to provide the correct output for thesecharacters. Now, characters in the Finnish locale print as expected.

BZ#823909If a file or a string was in the IBM-930 encoding, and contained the invalid multibyte character"0xffff", attempting to use iconv() (or the iconv command) to convert that file or string toanother encoding, such as UTF-8, resulted in a segmentation fault. Now, the conversion codefor the IBM-930 encoding recognizes this invalid character and calls an error handler, ratherthan causing a segmentation fault.

BZ#82614 9Prior to this update, the fnmatch() function failed with the return value -1 when the wildcardcharacter "*" was part of the pattern argument and the file name argument contained aninvalid multibyte encoding. This update modifies the fnmatch() code to recognize this case.Now, the invalid characters are treated as not matching and then the process proceeds.

BZ#827362Prior to this update, the internal FILE offset was set incorrectly in wide character streams. As aconsequence, the offset returned by ftell was incorrect. In some cases, this could result inover-writing data. This update modifies the ftell code to correctly set the internal FILE offsetfield for wide characters. Now, ftell and fseek handle the offset as expected.

BZ#829222Prior to this update, the /etc/rpc file was not set as a configuration file in the glibc build. As aconsequence, updating glibc caused the /etc/rpc file to be replaced without warning or


146



creating a backup copy. This update correctly marks /etc/rpc as a configuration file. Now, theexisting /etc/rpc file is left in place, and the bundled version can be installed in /etc/rpc.rpmnew.

BZ#830127Prior to this update, the vfprintf command returned the wrong error codes whenencountering an overflow. As a consequence, applications which checked return codes from vfprintf could get unexpected values. This update modifies the error codes for overflowsituations.

BZ#832516Prior to this update, the newlocale flag relied entirely on failure of an underlying open() call toset the errno variable for an incorrect locale name. As a consequence, the newlocale()function did not set the errno variable to an appropriate value when failing, if it has alreadybeen asked about the same incorrect locale name. This update modifies the logic in the loadlocale call so that subsequent attempts to load a non-existent locale more than oncealways set the errno variable appropriately.

BZ#832694Prior to this update, the ESTALE error message referred only to NFS file systems. As aconsequence, users were confused when non-NFS file systems triggered this error. Thisupdate modifies the error message to apply the error message to all file systems that cantrigger this error.

BZ#835090Prior to this update, an internal array of name servers was only partially initialized when the /etc/resolv.conf file contained IPV6 name servers. As a consequence, applications could,depending on the exact contents of a nearby structure, abort. This update modifies theunderlying code to handle IPV6 name servers listed in /etc/resolv.conf.

BZ#837695Prior to this update, a buffer in the resolver code for glibc was too small to handle results forcertain DNS queries. As a consequence, the query had to be repeated after a larger buffer wasallocated and wasted time and network bandwidth. This update enlarges the buffer to handlethe larger DNS results.

BZ#837918Prior to this update, the logic for the functions exp, exp2, pow, sin, tan, and rint waserroneous. As a consequence, these functions could fail when running them in the non-defaultrounding mode. With this update, the functions return correct results across all 4 differentrounding modes.

BZ#84 1787Prior to this update, glibc incorrectly handled the options rotate option in the /etc/resolv.conf file if this file also contained one or more IPv6 name servers. As aconsequence, DNS queries could unexpectedly fail, particularly when multiple queries wereissued by a single process. This update modifies the internalization of the listed servers from


147




/etc/resolv.conf into internal structures of glibc, as well as the sorting and rotation ofthose structures to implement the options rotate capability. Now, DNS names are resolvedcorrectly in glibc.

BZ#84 634 2Prior to this update, certain user-defined 32 bit executables could issue calls to the memcpy()function with overlapping arguments. As a consequence, the applications invoked undefinedbehavior and could fail. With this update, users with 32 bit applications which issue the memcpyfunction with overlapping arguments can create the /etc/sysconfig/32bit_ssse3_memcpy_via_32bit_ssse3_memmove. If this file exists,glibc redirects all calls to the SSSE3 memcpy copiers to the SSSE3 memmove copier, whichis tolerant of overlapping arguments.

Important

We strongly encourage customers to identify and fix these problems in their sourcecode. Overlapping arguments to memcpy() is a clear violation of the ANSI/ISOstandards and Red Hat does not provide binary compatibility for applications whichviolate these standards.

BZ#84 7932Prior to this update, the strtod(), strtof(), and strtold() functions to convert a string toa numeric representation in glibc contained multiple integer overflow flaws. This caused stack-based buffer overflows. As a consequence, these functions could cause an application to abortor, under certain circumstances, execute arbitrary code. This update modifies the underlyingcode to avoid these faults.

BZ#84 8082Prior to this update, the setlocale() function failed to detect memory allocation problems. Asa consequence, the setlocale() function eventually core dumped, due to NULL pointers oruninitialized strings. This update modifies the setlocale code to insure that memoryallocation succeeded. Now, the setlocale() function no longer core dumps.

BZ#84 9651Prior to this update, the expf() function was considerably slowed down when saving andrestoring the FPU state. This update adds a hand optimized assembler implementation of the expf() function for Intel 64 and AMD64 platforms. Now, the expf() function is considerablyfaster.

BZ#8524 4 5Prior to this update, the PowerPC specific pthread_once code did not correctly publishchanges it made. As a consequence, the changes were not visible to other threads at the righttime. This update adds release barriers to the appropriate thread code to ensure correctsynchronization of data between multiple threads.

BZ#861167


148



This update adds the MADV_DONTDUMP and MADV_DODUMP macros to the mman.h file tocompile code that uses these macros.

BZ#8634 53Prior to this update, the nscd daemon attempted to free a pointer that was not provided by the malloc() function, due to an error in the memory management in glibc. As a consequence,nscd could terminate unexpectedly, when handling groups with a large number of members.This update ensures that memory allocated by the pool allocator is no longer passed to free.Now, the pool allocator's garbage collector reclaims the memory. As a result, nscd no longercrashes on groups with a large number of members.

BZ#864 322Prior to this update, the IPTOS_CLASS definition referenced the wrong object. As aconsequence, applications that referenced the IPTOS_CLASS definition from the ip.h file didnot build or failed to operate as expected. This update modifies the definition to reference theright object and applications that reference to the IPTOS_CLASS definition.

Users of glibc are advised to upgrade to these updated packages, which fix these bugs ...

6.68. gnome-desktop

6.68.1. RHBA-2012:1352 — gnome-desktop bug fix updateUpdated gnome-desktop packages that fix a bug are now available.

The gnome-desktop package contains an internal library (libgnome-desktop) used to implement someportions of the GNOME desktop, and also some data files and other shared components of the GNOMEuser environment.

Bug FixBZ#829891

Previously, when a user hit the system's hot-key (most commonly Fn+F7) to change displayconfigurations, the system could potentially switch to an invalid mode, which would fail todisplay. With this update, gnome-desktop now selects valid XRandR modes and correctlyswitching displays with the hot-key works as expected.

All users of gnome-desktop are advised to upgrade to these updated packages, which fix this bug.

6.69. gnome-packagekit

6.69.1. RHBA-2013:0280 — gnome-packagekit bug fix updateAn updated gnome-packagekit package that fixes four bugs is now available.

gnome-packagekit provides session applications for the PackageKit API.

Bug Fixes


149





BZ#74 4 980If a package adds or removes a .repo file while updates are being installed, PackageKit(packagekitd) sends a RepoListChanged() message. If Software Update (/usr/bin/gpk-update-viewer) was being used to install these updates it responded to the message by attempting torefresh the available updates list. This resulted in said list going blank. As of this update, gpk-update-viewer ignores such signals from packagekitd, leaving the available updates list visibleand unchanged.

BZ#74 4 906When a 64-bit Red Hat Enterprise Linux instance had both 32-bit and 64-bit versions of apackage installed, and an update for both packages was available and presented in theSoftware Update (/usr/bin/gpk-update-viewer) window, the summary and package nameappeared for both architectures. Package size and the errata note only presented for the 32-bitversion, however. For the 64-bit version, the size column remained blank. And, when the 64-bitversion was selected in Software list, the display pane below presented a ‘Loading...’ messagerather than the errata note. With this update, gpk-update-viewer seeks out the exact package IDbefore falling back to the package name, ensuring both package versions are found andassociated meta-data displayed when more than one package architecture is installed.

BZ#694 793When an application is installed using the Add/Remove Software interface (/usr/bin/gpk-application), a dialogue box appears immediately post-install offering a Run button. Clicking thisbutton launches the newly-installed program. Previously, under some circumstances, animproperly assigned pointer value meant clicking this Run button caused gpk-application tocrash (segfault). With this update, the pointer is correctly assigned and gpk-application nolonger crashes when launching a newly-installed application.

BZ#669798Previously, it was possible for an ordinary user to shutdown their system or log-out from asession while the PackageKit update tool was running. Depending on the transactionPackageKit was engaged in when the shutdown or logout was initiated, this could damage theRPM database and, consequently, damage the system. With this update, when ordinary usersattempting to shutdown or log out while PackageKit is running an update, PackageKit inhibitsthe process and presents the user with an alert:

A transaction that cannot be interrupted is running.

Note: this update does not prevent a root user (or other user with equivalent administrativeprivileges) from shutting the system down or logging an ordinary user out of their session.

All PackageKit users should install this update which resolves these issues.

6.70. gnome-screensaver

6.70.1. RHBA-2013:0390 — gnome-screensaver bug fix updateUpdated gnome-screensaver packages that fix several bugs are now available for Red Hat EnterpriseLinux 6.


150





The gnome-screensaver packages contain the GNOME project's official screen saver program. Thescreen saver is designed for improved integration with the GNOME desktop, including themeability,language support, and Human Interface Guidelines (HIG) compliance. It also provides screen-lockingand fast user-switching from a locked screen.

Bug Fixes

BZ#64 8869Previously, NVIDIA hardware did not support the X Resize and Rotate Extension (xRandR)gamma changes. Consequently, the fade-out function did not work on the NVIDIA hardware.With this update, xRandR gamma support detection code fails on NVIDIA cards, and theXF86VM gamma fade extension is automatically used as a fallback so the fade-out functionworks as expected.

BZ#74 4 763Previously, the mouse cursor could be moved to a non-primary monitor so the unlock dialog boxdid not appear when the user moved the mouse. This bug has been fixed and the mousecursor can no longer be moved to a non-primary monitor. As a result, the unlock dialog boxcomes up anytime the user moves the mouse.

BZ#752230Previously, the shake animation of the unlock dialog box could appear to be very slow. This wasbecause the background was updated every time the window's size allocation changed, and thewidget's size allocation consequently changed every frame of the shake animation. Theunderlying source code has been modified to ensure a reasonable speed of the shakeanimation.

BZ#759395When a Mandatory profile was enabled, the "Lock screen when screen saver is active" option inthe Screensaver Preferences window was not disabled. This bug could expose the users to asecurity risk. With this update, the lock-screen option is disabled as expected in the describedscenario.

BZ#824 752When using dual screens, moving the mouse did not unlock gnome-screensaver after the initialtimeout. The users had to press a key to unlock the screen. The underlying source code hasbeen modified and the user can now unlock gnome-screensaver by moving the mouse.

All users of gnome-screensaver are advised to upgrade to these updated packages, which fix thesebugs.

6.71. gnome-settings-daemon

6.71.1. RHBA-2013:0312 — gnome-settings-daemon bug fix and enhancementupdateUpdated gnome-settings-daemon packages that fix several bugs and add two enhancements are nowavailable for Red Hat Enterprise Linux 6.


151




The gnome-settings-daemon packages contain a daemon to share settings from GNOME with otherapplications. It also handles global key bindings, as well as a number of desktop-wide settings.

Bug Fixes

BZ#805064Previously, the LED indicators of some Wacom graphics tablets were not supported in thegnome-settings-daemon package. Consequently, the status LEDs on Wacom tablets would notaccurately indicate the current control mode. With this update, LED support has been added tognome-settings-daemon. As a result, the tablet LEDs now work as epected.

BZ#812363Previously, using function keys without modifiers (F1, F2, and so on) as keyboard shortcuts forcustom actions did not work. With this update, a patch has been added to fix this bug. As aresult, gnome-settings-daemon now allows unmodified function keys to be used as keyboardshortcuts for custom actions.

BZ#824 757In certain cases, the gnome-settings-daemon did not properly handle the display configurationsettings. Consequently, using the system's hot-key to change the display configuration eitherdid not select a valid XRandR configuration or kept monitors in clone mode. This bug has beenfixed and gnome-settings-daemon now selects valid XRandR modes and handles the clonemode as expected.

BZ#826128Previously, connecting a screen tablet to a computer before activation of the tablet screencaused the input device to be matched with the only available monitor - the computer screen.Consequently, the stylus motions were incorrectly mapped to the computer screen instead ofthe tablet itself. With this update, a patch has been introduced to detect the tablet screen assoon as it becomes available. As a result, the device is correctly re-matched when the tabletscreen is detected.

BZ#839328Previously, using the shift key within a predefined keyboard shortcut mapped to the tablet'sExpressKey button caused gnome-settings-daemon to crash after pressing ExpressKey. Thisbug has been fixed, and the shortcuts which use the shift key can now be mapped toExpressKey without complications.

BZ#853181Prior to this update, the mouse plug-in in the gnome-settings-daemon package interfered withWacom devices. Consequently, using ExpressKey on a tablet after hot-plugging generatedmouse click events. With this update, the mouse plug-in has been fixed to ignore tablet devicesand the interference no longer occurs.

BZ#886922Previously, on tablets with multiple mode-switch buttons such as the Wacom Cintiq 24HD, allmode-switch buttons would cycle though the different modes. With this update, each differentmode-switch button will select the right mode for the given button.


152




BZ#861890Due to a bug in the gnome settings daemon, changing the monitor layout led to incorrect tabletmapping. With this update, the graphics tablet mapping is automatically updated when themonitor layout is changed. As a result, the stylus movements are correctly mapped after thelayout change and no manual update is needed.

Enhancements

BZ#772728With this update, several integration improvements for Wacom graphics tablets have beenbackported from upstream: - touchscreen devices are now automatically set in absolute modeinstead of relative - memory leaks on tablet hot plug have been fixed - ExpressKeys no longerfail after the layout rotation - test applications are now included in the package to help withdebugging issues.

BZ#858255With this update, the touch feature of input devices has been enabled in the default settings ofgnome-settings-daemon.

All users of gnome-settings-daemon are advised to upgrade to these updated packages, which fix thesebugs and add these enhancements.

6.72. gnome-terminal

6.72.1. RHBA-2012:1311 — gnome-terminal bug fix updateUpdated gnome-terminal packages that fix one bug are now available for Red Hat Enterprise Linux 6.

Gnome-terminal is a terminal emulator for GNOME. It supports translucent backgrounds, openingmultiple terminals in a single window (tabs) and clickable URLs.

Bug FixBZ#819796

Prior to this update, gnome-terminal was not completely localized into Asamese. With thisupdate, the Assamese locale has been updated.

All gnome-terminal users are advised to upgrade to these updated packages, which fix this bug.

6.73. gnutls

6.73.1. RHBA-2013:0425 — gnutls bug fix updateUpdated gnutls packages that fix four bugs are now available for Red Hat Enterprise Linux 6.

The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implementscryptographic algorithms and protocols such as SSL, TLS, and DTLS.


153




Bug Fixes

BZ#64 8297Previously, the gnutls_priority_init.3 man page contained incorrect information on the gnutls-2.8.5-safe-renegotiation patch, particularly on special control keywords. The manual page hasbeen updated to provide accurate information about the described subject.

BZ#74 524 2Prior to this update, the gnutls_x509_privkey_import() function failed to load private keys in thePKCS#8 format. Consequently, these keys were not processed by applications which usegnutls_x509_privkey_import(). This bug has been fixed, and gnutls_x509_privkey_import() nowallows loading of private keys formatted in PKCS#8.

BZ#771378Multiple bugs were present in the implementation of the TLS-1.2 protocol in the gnutls package.Consequently, gnutls was incompatible with clients and servers conforming to the TLS-1.2protocol standard. With this update, the TLS-1.2 implementation has been fixed. As a result, thecompatibility of gnutls with other TLS-1.2 clients and servers is now assured.

BZ#80774 6Previously, the gnutls-cli-debug man page contained typographical errors and incorrectinformation on the command-line options. The manual page has been updated, and no longercontains the aforementioned errors.

All users of gnutls are advised to upgrade to these updated packages, which fix these bugs.

6.74. graphviz

6.74.1. RHBA-2012:1291 — graphviz bug fix updateUpdated graphviz packages that fix three bugs are now available for Red Hat Enterprise Linux 6.

Graphviz is open-source graph-visualization software. Graph visualization is a way of representingstructural information as diagrams of abstract graphs and networks. It has important applications innetworking, bioinformatics, software engineering, database and web design, machine learning, and invisual interfaces for other technical domains.

Bug FixesBZ#772637

Previously, the dot tool could generate different images on 32-bit and 64-bit architectures, whichcould consequently lead to multilib conflicts of packages that use graphviz during its buildprocess. The problem was caused by different instructions used for floating points processing.On 32-bit Intel architecture, the code is now compiled with the "--ffloat-store" compiler flag,which ensures that identical images are generated regardless of the used architecture.

BZ#821920The graphviz-tcl package included the "demo" directory, which contained examples in variouslanguages. This caused implicit dependencies to be introduced. With this update, all examples


154






are installed as documentation, which reduces the number of implicit dependencies.

BZ#84 9134The "dot -c" command which is run in the %postun scriptlet recreates graphviz configurationfiles to be up-to-date with the current state of the installed plug-ins. Previously, if the commandfailed to load plug-ins specified in the configuration files, warning messages were printed whenremoving the graphviz-gd package. These messages could have been confusing, and havebeen therefore removed.

All users of graphviz are advised to upgrade to these updated packages, which fix these bugs.

6.75. grub

6.75.1. RHBA-2013:0428 — grub bug fix and enhancement updateUpdated grub packages that fix several bugs and add two enhancements are now available for Red HatEnterprise Linux 6.

The GRUB utility is a powerful boot loader, which can load a wide variety of operating systems.

Bug Fixes

BZ#783169When the BIOS was set to Unified Extensible Firmware Interface (UEFI) mode, all legacy optionROMs in the setup were disabled, and the grub.efi utility was loaded, an attempt to access thenetwork with the NET0 protocol was not successful and the "nd" root command did not work.This bug has been fixed and GRUB works correctly in this situation.

BZ#814 014Previously, the GRUB utility did not scan for KVM virtio disks when creating a device map.Consequently, these disks were not added to this map. This bug has been fixed and GRUBnow scans for vd* devices located in the /dev/ directory, so virtio disks are added to a devicemap as expected.

BZ#825054The GRUB utility did not pass high order address bits for the Extensible Firmware Interface(EFI) memory map and system table high order bits. As a consequence, the EFI system mapand memory map did not work correctly on computers with RAM bigger then 4 GB. This bug hasbeen fixed by passing high order address bits, so that grub works properly in the describedscenario.

BZ#8704 20When symbolic links in the /dev/mapper/ directory were resolved to the original file, this file didnot match proper file entry in the device.map file. Consequently, the grub-install package failedand an error message was returned. With this update, symbolic links are now prevented toresolve in the /dev/mapper/ directory. As a result, grub-install proceeds as expected.

BZ#876519


155



Due to an error in the underlying source code, an incorrect attempt to dereference a NULLpointer could previously cause GRUB to terminate unexpectedly. This update corrects theunderlying source code to prevent this error so that GRUB no longer crashes.

Enhancements

BZ#64 2396This enhancement includes support for IPV6 UEFI 2.3.1 netboot, which was previously missing.

BZ#737732With this update, the users can use EFI boot partition as a root partition, which can be specifiedin the grub.conf file. As a consequence, the users do not have to specify particular drive, butcan use the one specified in the EFI boot manager.

All users of GRUB are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.76. gstreamer-plugins-base

6.76.1. RHEA-2012:1473 — gstreamer-plugins-base enhancement updateUpdated gstreamer-plugins-base packages thatadd one enhancement are now available for Red HatEnterprise Linux 6.

The gstreamer-plugins-base packages provide a collection of base plug-ins for the GStreamerstreaming media framework.

EnhancementBZ#755777

This update adds color-matrix support for color conversions to the ffmpegcolorspace plugin.

All users of gstreamer-plugins-base are advised to upgrade to these updated packages, which add thisenhancement.

6.77. gtk2

6.77.1. RHBA-2013:0493 — gtk2 bug fix updateUpdated gtk2 packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

GIMP Toolkit (GTK+) is a multi-platform toolkit for creating graphical user interfaces.

Bug Fixes

BZ#88234 6Due to a recent change in the behavior of one of the X.Org Server components, GTK+applications could not use certain key combinations for key bindings. This update makes GTK+compatible with the new behavior, which ensures that no regressions occur in applications that


156




use the library.

BZ#889172Previously, when switching between the "Recently Used" and "Search" tabs in the “Open Files”dialog box, the "Size" column in the view disappeared. This update ensures the column isvisible when the relevant option is selected.

Users of GTK+ are advised to upgrade to these updated packages, which fix these bugs.

6.78. gvfs

6.78.1. RHBA-2012:1124 — gvfs bug fix and enhancement updateUpdated gvfs packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.

GVFS is the GNOME desktop's virtual file system layer, which allows users to easily access local andremote data, including via the FTP, SFTP, WebDAV, CIFS and SMB protocols, among others. GVFSintegrates with the GIO (GNOME I/O) abstraction layer.

Bug FixesBZ#599055

Previously, rules for ignoring mounts were too restrictive. If the user clicked on an encryptedvolume in the Nautilus' sidebar, an error message was displayed and the volume could not beaccessed. The underlying source code now contains additional checks so that encryptedvolumes have proper mounts associated (if available), and the file system can be browsed asexpected.

BZ#669526Due to a bug in the kernel, a freshly formatted Blu-ray Disk Rewritable (BD-RE) mediumcontains a single track with invalid data that covers the whole medium. This empty track waspreviously incorrectly detected, causing the drive to be unusable for certain applications, suchas Brasero. This update adds a workaround to detect the empty track, so that freshly formattedBD-RE media are properly recognized as blank.

BZ#682799, BZ#74 6977, BZ#74 6978, BZ#74 9369, BZ#74 9371, BZ#74 9372The code of the gvfs-info, gvfs-open, gvfs-cat, gvfs-ls and gvfs-mount utilities contained hard-coded exit codes. This caused the utilities to always return zero on exit. The exit codes havebeen revised so that the mentioned gvfs utilities now return proper exit codes.

BZ#74 6905When running gvfs-set-attribute with an invalid command-line argument specified, the utilityterminated unexpectedly with a segmentation fault. The underlying source code has beenmodified so that the utility now prints a proper error message when an invalid argument isspecified.

BZ#809708Due to missing object cleanup calls, the gvfsd daemon could use excessive amount of memory,


157







which caused the system to become unresponsive. Proper object cleanup calls have beenadded with this update, which ensures that the memory consumption is constant and thesystem does not hang in this scenario.

All users of gvfs are advised to upgrade to these updated packages, which fix these bugs.

6.79. hivex

6.79.1. RHBA-2013:0433 — hivex bug fix updateUpdated hivex packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

Hivex is a library for extracting the contents of Windows Registry "hive" files, which is designed to besecure against corrupted or malicious registry files. Hive files are undocumented binary files.

Bug Fixes

BZ#82274 1Previously, the description of the package contained inappropriate text. This update provides acorrection of the language used and now, the spec file contains only neutral expressions.

BZ#84 1924Certain hive files that had a very large number of child nodes under a single parent node couldnot be parsed. A patch has been added to allow read-only access to these child nodes.

Users of hivex are advised to upgrade to these updated packages, which fix these bugs.

6.80. hplip

6.80.1. RHSA-2013:0500 — Low: hplip security, bug fix and enhancement updateUpdated hplip packages that fix several security issues, multiple bugs, and add various enhancementsare now available for Red Hat Enterprise Linux 6.


The hplip packages contain the Hewlett-Packard Linux Imaging and Printing Project (HPLIP), whichprovides drivers for Hewlett-Packard printers and multi-function peripherals.

Security Fix

CVE-2013-0200, CVE-2011-2722Several temporary file handling flaws were found in HPLIP. A local attacker could use theseflaws to perform a symbolic link attack, overwriting arbitrary files accessible to a process usingHPLIP.


158






The CVE-2013-0200 issues were discovered by T im Waugh of Red Hat.

Note

The hplip packages have been upgraded to upstream version 3.12.4, which provides a number ofbug fixes and enhancements over the previous version. (BZ#731900)

Bug Fixes

BZ#8294 53Previously, the hpijs package required the obsolete cupsddk-drivers package, which wasprovided by the cups package. Under certain circumstances, this dependency caused hpijsinstallation to fail. This bug has been fixed and hpijs no longer requires cupsddk-drivers.

BZ#683007The configuration of the Scanner Access Now Easy (SANE) back end is located in the/etc/sane.d/dll.d/ directory, however, the hp-check utility checked only the /etc/sane.d/dll.conf file.Consequently, hp-check checked for correct installation, but incorrectly reported a problem withthe way the SANE back end was installed. With this update, hp-check properly checks forinstallation problems in both locations as expected.

All users of hplip are advised to upgrade to these updated packages, which fix these issues and addthese enhancements.

6.81. hsqldb

6.81.1. RHBA-2013:0334 — hsqldb bug fix updateUpdated hsqldb packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The hsqldb packages provide a relational database management system written in Java. The HyperStructured Query Language Database (HSQLDB) contains a JDBC driver to support a subset of ANSI-92SQL.

Bug Fix

BZ#82734 3Prior to this update, the hsqldb database did not depend on java packages of version 1:1.6.0 orlater. As a consequence, the build-classpath command failed on systems without the java-1.6.0-openjdk package installed and the hsqldb packages could be installed incorrectly. This updateadds a requirement for java-1.6.0-openjdk. Now, the installation of hsqldb proceeds correctly asexpected.

All users of hsqldb are advised to upgrade to these updated packages, which fix this bug.

6.82. httpd


159





6.82.1. RHSA-2013:0512 — Low: httpd security, bug fix and enhancement updateUpdated httpd packages that fix multiple bugs and add various enhancements are now available for RedHat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. CommonVulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available foreach vulnerability from the CVE links associated with each description below.

The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of TheApache Software Foundation.

Security Fixes

CVE-2008-04 55, CVE-2012-2687An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. Aremote attacker able to upload or create files with arbitrary names in a directory that has theMultiViews options enabled, could use this flaw to conduct cross-site scripting attacks againstusers visiting the site.

CVE-2012-4 557It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in loadbalancer mode, would mark a back-end server as failed when request processing timed out,even when a previous AJP (Apache JServ Protocol) CPing request was responded to by theback-end. A remote attacker able to make a back-end use an excessive amount of time toprocess a request could cause mod_proxy to not send requests to back-end AJP servers forthe retry timeout period or until all back-end servers were marked as failed.

Bug Fixes

BZ#78724 7When the Apache module mod_proxy was configured, and a particular back-end URL wasreverse proxied into the server two or more times, a spurious warning in the following formatwas given:

[warn] worker [URL] already used by another worker

The level of this message has been changed from WARNING to INFO as it is not incorrect toproxy more than one URL to the same back-end server.

BZ#822587The mod_cache module did not handle 206 partial HTTP responses correctly. This resultedin incorrect responses being returned to clients if a cache was configured. With this update,mod_cache no longer caches 206 responses, thus ensuring correct responses are returned.

BZ#829689If LDAP authentication was used with a Novell eDirectory LDAP server, mod_ldap could return 500 Internal Server Error response if the LDAP server was temporarily unavailable.This update fixes mod_ldap to retry LDAP requests if the server is unavailable, and the 500errors will not be returned in this case.


160






BZ#837086Previously, mod_proxy_connect performed unnecessary DNS queries when ProxyRemotewas configured. Consequently, in configurations with ProxyRemote, mod_proxy_connectcould either fail to connect, or be slow to connect to the remote server. This update changesmod_proxy to omit DNS queries if ProxyRemote is configured. As a result, the proxy no longerfails in such configurations.

BZ#837613When an SSL request failed and the -v 2 option was used, the ApacheBench (ab)benchmarking tool tried to free a certificate twice. Consequently, ab terminated unexpectedlydue to a double free() error. The ab tool has been fixed to free certificates only once. As aresult, the ab tool no longer crashes in the scenario described.

BZ#84 8954Previously, mod_ssl presumed the private key was set after the certificate in SSLProxyMachineCertificateFile. Consequently, httpd terminated unexpectedly if theprivate key had been set before the certificate in SSLProxyMachineCertificateFile. This updateimproves mod_ssl to check if the private key is set before the certificate. As a result, mod_sslno longer crashes in this situation and prints an error message instead.

BZ#853160Prior to this update, mod_proxy_ajp did not correctly handle a flush message from a Javaapplication server if received before the HTTP response headers had been sent.Consequently, users could receive a truncated response page without the correct HTTPheaders. This update fixes mod_proxy_ajp to ignore flush messages before the HTTPresponse headers have been sent. As a result, truncated responses are no longer sent inscenario described.

BZ#85334 8In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a description string was received from the origin server, for a non-standardstatus code, such as the 450 status code, a 500 Internal Server Error would bereturned to the client. This bug has been fixed so that the original response line is returned tothe client.

BZ#867268Previously, the value of ${cookie}C in the LogFormat directive's definition matchedsubstrings of cookie. Consequently, a bad cookie could be printed if its name contained asubstring of the name defined in LogFormat using the ${cookie}C string. With this update,the code is improved so that cookie names are now matched exactly. As a result, a propercookie is returned even when there are other cookies with its substring in their name.

BZ#86774 5Previously, no check was made to see if the /etc/pki/tls/private/localhost.key filewas a valid key prior to running the %post script for the mod_ssl package. Consequently, when/etc/pki/tls/certs/localhost.crt did not exist and localhost.key was present butinvalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The %post


161



script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_sslnow proceeds as expected.

BZ#868253Previously, in a reverse proxy configuration, mod_cache did not correctly handle a 304 Not Modified response from the origin server when refreshing a cache entry. Consequently, insome cases an empty page was returned to a client requesting an entity which already existedin the cache. This update fixes handling of 304 Not Modified responses in mod_cacheand as a result no empty pages will be displayed in the scenario described.

BZ#868283Due to a regression, when mod_cache received a non-cacheable 304 response, the headerswere served incorrectly. Consequently, compressed data could be returned to the client withoutthe cached headers to indicate the data was compressed. An upstream patch has been appliedto merge response and cached headers before data from the cache is served to the client. As aresult, cached data is now correctly interpreted by the client.

Enhancements

BZ#74 84 00The Apache module mod_proxy now allows changing the BalancerMember state in the webinterface.

BZ#757735The rotatelogs program now provides a new rotatelogs -p option to execute a customprogram after each log rotation.

BZ#757739The rotatelogs program now provides a new rotatelogs -c option to create log files foreach set interval, even if empty.

BZ#796958The LDAPReferrals configuration directive has been added, as an alias for the existing LDAPChaseReferrals directive.

BZ#805720The mod_proxy and mod_ssl modules have been updated to support the concurrent use ofthe mod_nss (NSS) and mod_ssl (OpenSSL) modules.

BZ#805810An init script for the htcacheclean daemon has been added.

BZ#824 571The failonstatus parameter has been added for balancer configuration in mod_proxy.


162






BZ#828896Previously, mod_authnz_ldap had the ability to set environment variables from received LDAPattributes, but only by LDAP authentication, not by LDAP authorization. Consequently, if themod_authnz_ldap module was used to enable LDAP for authorization but not authentication,the AUTHORIZE_ environment variables were not populated. This update applies a patch toimplement setting of AUTHORIZE_ environment variables using LDAP authorization. As a result,other methods of authentication can be used while using LDAP authorization for settingenvironment variables for all configured LDAP attributes.

BZ#833064The %posttrans scriptlet which automatically restarts the httpd service after a packageupgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttransexists, the scriptlet will not restart the daemon.

BZ#833092The output of httpd -S now includes configured alias names for each virtual host.

BZ#8384 93The rotatelogs program has been updated to support the -L option to create a hard link fromthe current log to a specified path.

BZ#84 2375New certificate variable names are now exposed by mod_ssl using the _DN_userID suffix,such as SSL_CLIENT_S_DN_userID, which uses the commonly used object identifier (OID)definition of userID, OID 0.9.2342.19200300.100.1.1.

BZ#84 2376Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did notcorrectly handle a chunked encoded POST request with a chunk-size or chunk-extensionvalue of 32 bytes or more. Consequently, when such a POST request was made the server didnot respond. An upstream patch has been applied and the problem no longer occurs.

Users of httpd are advised to upgrade to these updated packages, which fix these bugs and add theseenhancements.

6.83. hwdata

6.83.1. RHEA-2013:0376 — hwdata enhancement updateAn updated hwdata package that adds various enhancements is now available for Red Hat EnterpriseLinux 6.

The hwdata package contains tools for accessing and displaying hardware identification andconfiguration data.

Enhancements


163




BZ#839221The PCI ID numbers have been updated for the Beta and the Final compose lists.

BZ#739816Support for NVidia graphic card N14E-Q5, 0x11BC has been added.

BZ#739819Support for NVidia graphic card N14E-Q3, 0x11BD has been added.

BZ#739821Support for NVidia graphic card N14E-Q1, 0x11BE has been added.

BZ#739824Support for NVidia graphic card N14P-Q3, 0x0FFB has been added.

BZ#739825Support for NVidia graphic card N14P-Q1, 0x0FFC has been added.

BZ#760031Support for Broadcom BCM943228HM4L 802.11a/b/g/n 2x2 Wi-Fi Adapter has been added.

BZ#830253Support for Boot from Dell PowerEdge Express Flash PCIe SSD devices has been added.

BZ#84 14 23Support for the Intel C228 chipset and a future Intel processor based on Socket H3 has beenadded.

BZ#814 114This update also adds the current hardware USB IDs file from the upstream repository. This fileprovides support for Broadcom 20702 Bluetooth 4.0 Adapter Softsailing.

All users of hwdata are advised to upgrade to this updated package, which adds these enhancements.

6.84. hwloc

6.84.1. RHBA-2013:0331 — hwloc bug fix and enhancement updateUpdated hwloc packages that fix multiple bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The hwloc package provides Portable Hardware Locality, which is a portable abstraction of thehierarchical topology of current architectures.


164




The hwloc packages have been upgraded to upstream version 1.5, which provides a number ofbug fixes and enhancements over the previous version. (BZ#797576)

Users of hwloc are advised to upgrade to these updated packages, which fix these bugs and add theseenhancements.

6.85. icedtea-web

6.85.1. RHBA-2013:0491 — icedtea-web bug fix updateUpdated icedtea-web packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java WebStart, which is based on the Netx project. It also contains a configuration tool for managing deploymentsettings for the plug-in and Web Start implementations.

Bug Fix

BZ#838084Previously, the IcedTea-Web plug-in was built against JDK 6, but in runtime it was possible touse it with JDK 7. Consequently, IcedTea-Web sometimes failed to run. With this update, theicedtea-web package is built against JDK 7 and IcedTea-Web is using JDK 7 in runtime, thuspreventing this bug. Note that the end of public updates for JDK 6 is scheduled to go into effectin upcoming weeks.

Users of icedtea-web are advised to upgrade to these updated packages, which fix this bug.

6.86. infinipath-psm

6.86.1. RHBA-2013:0536 — infinipath-psm bug fix updateUpdated infinipath-psm packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The PSM Messaging API, or PSM API, is Intel's (formerly QLogic's) low-level, user-level communicationinterface for the Truescale family of products. PSM users can use mechanisms necessary to implementhigher-level communication interfaces in parallel environments.

Bug Fix

BZ#907361Due to a packaging error, not all object files required for the infinipath-psm library were built intothe library, rendering it non-functional. This update fixes the infinipath-psm Makefile, which nowproperly includes all required object files, and the library works as expected.

All users of infinipath-psm are advised to upgrade to these updated packages, which fix this bug.


165






6.87. initscripts

6.87.1. RHBA-2013:0518 — initscript bug fix and enhancement updateUpdated iniscripts package that fixes several bugs and adds two enhancements are now available forRed Hat Enterprise Linux 6.

The initscripts package contains basic system scripts to boot the system, change runlevels, activate anddeactivate most network interfaces, and shut the system down cleanly.

Bug Fixes

BZ#893395Previously, an ip link command was called before the master device was properly set.Consequently, the slaves could be in the unknown state. This has been fixed by calling ip link for master after the device is installed properly, and all slaves are up. As a result, allslaves are in the expected state and connected to the master device.

BZ#714 230Previously, the naming policy for VLAN names was too strict. Consequently, the ifdown utilityfailed to work with descriptively-named interfaces. To fix this bug, the name format check hasbeen removed and ifdown now works as expected.

BZ#87924 3Prior to this update, there was a typographic error in the /etc/sysconfig/network-scripts/ifup-aliases file, which caused the duplicate check to fail. The typo has beencorrected and the check works again.

BZ#885235The BONDING_OPTS variable was applied by the ifup utility on a slave interface, even if themaster was already on and had active slaves. This caused an error message to be returned byifup. To address this bug, it is now checked whether the master does not have any activeslaves before applying BONDING_OPTS, and no error messages are returned.

BZ#880684Prior to this update, the arping utility, which checks for IP address duplicates in the network,failed when the parent device was not up. Consequently, the failure was handled the same wayas finding of a second IP address in the network. To fix this bug, ifup-aliases files havebeen set to be checked whether the master device is up before the duplicity check is run. As aresult, no error messages are returned when the parent device is down in the describedscenario.

BZ#723936The rename_device.c file did not correspond with VLAN interfaces, and thus could lead toimproperly named physical interfaces. A patch has been provided to address this bug andinterfaces are now named predictably and properly.

BZ#856209


166







When calling the vgchange -a y command instead of vgchange -a ay on the netfsinterface by the rc.sysinit daemon, all volumes were activated. This update provides apatch to fix this bug. Now, only the volumes declared to be activated are actually activated. If thelist is not declared, all volumes are activated by default.

BZ#8204 30Previously, when a slave was attached to a master interface, which did not have a correct modeset, the interface did not work properly and could eventually cause a kernel oops. To fix thisbug, the BONDING_OPTS variables are set before the master interface is brought up, which isthe correct order of setting.

BZ#862788If there was a process blocking a file system from unmounting, the /etc/init.d/halt scripttried to kill all processes currently using the file system, including the script itself. Consequently,the system became unresponsive during reboot. With this update, shutdown script PIDs areexcluded from the kill command, which enables the system to reboot normally.

BZ#874 030When the ifup utility was used to set up a master interface, the BONDING_OPTS variableswere not applied. Consequently, bonding mode configuration done through the ifcfg utilityhad no effect. A patch has been provided to fix this bug. BONDING_OPTS are now applied andbonding mode works in the described scenario.

BZ#824 175If a network bond device had a name that was a substring of another bond device, both deviceschanged their states due to an incorrect test of the bond device name. A patch has beenprovided in the regular expression test and bond devices change their states as expected.

BZ#755699The udev daemon is an event-driven hot-plug agent. Previously, an udev event for serialconsole availability was emitted only on boot. If runlevels were changed, the process was notrestarted, because the event had already been processed. Consequently, the serial consolewas not restarted when entering and then exiting runlevel 1. With this update, the fedora.serial-console-available event is emitted on the post-stop of the serial console,and the console is now restarted as expected.

BZ#852005Prior to this update, no check if an address had already been used was performed for aliasinterfaces. Consequently, an already used IP address could be assigned to an alias interface.To fix this bug, the IP address is checked whether it is already used. If it is, an error message isreturned and the IP address is not assigned.

BZ#852176Previously, the init utility tried to add a bond device even if it already existed. Consequently, awarning message was returned. A patch that checks whether a bond device already exists hasbeen provided and warning messages are no longer returned.


167



BZ#84 614 0Prior to this update, the crypttab(5) manual page did not describe handling white spaces inpasswords. Now, the manual page has been updated and contains information concerning apassword with white spaces.

BZ#870025Previous crypttab (5) manual page contained a typografic error (crypptab insted ofcrypttab), which has now been corrected.

BZ#795778Previously, usage description was missing in the /init/tty.conf and /init/serial.conf files and this information was not returned in error messages. With thisupdate, the information has been added to the aforementioned files and is now returned via anerror message.

BZ#669700Prior to this update, the /dev/shm file system was mounted by the dracut utility withoutattributes from the /etc/fstab file. To fix this bug, /dev/shm is now remounted by the rc.sysinit script. As a result, /dev/shm now contains the attributes from /etc/fstab.

BZ#713757Previous version of the sysconfig.txt file instructed users to put the VLAN=yes option in theglobal configuration file. Consequently, interfaces with names containing a dot were recognizedas VLAN interfaces. The sysconfig.txtfile has been changed so that the VLAN describingline instructs users to include the VLAN option in the interface configuration file, and theaforementioned devices are no longer recognized as VLAN interfaces.

BZ#869075The sysconfig.txt file advised users to use the saslauthd -a command instead of saslauthd -v, which caused the command to fail with an error message. In sysconfig.txt,the error in the command has been corrected and the saslauthd utility now returns expectedresults.

BZ#714 250When the ifup utility initiated VLAN interfaces, the sysctl values were not used. With thisupdate, ifup rereads the sysctl values in the described scenario and VLAN interfaces areconfigured as expected.

Enhancements

BZ#851370The brctl daemon is used to connect two Ethernet segments in a protocol-independent way,based on an Ethernet address, rather than an IP address. In order to provide a simple andcentralized bridge configuration, bridge options can now be used via BRIDGING_OPTS. As aresult, a space-separated list of bridging options for either a bridge device or a port device canbe added when the ifup utility is used.


168






BZ#554 392The updated halt.local file has been enhanced with new variables to reflect the characterof call. This change leaves users with better knowledge of how halt.local was called duringa halt sequence.

BZ#8154 31With this update, it is possible to disable duplicate address detection in order to allowadministrators to use direct routing without ARP checks.

Users of initscripts are advised to upgrade to this updated package, which fixes these bugs and addsthese enhancements.

6.88. iok

6.88.1. RHBA-2012:1164 — iok bug fix updateUpdated iok packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The iok package contains an Indic on-screen virtual keyboard that supports the Assamese, Bengali,Gujarati, Hindi, Kannada, Marathi, Malayalam, Punjabi, Oriya, Sindhi, Tamil and Telugu languages.Currently, iok works with Inscript and xkb keymaps for Indian languages, and is able to parse and displaynon-Inscript keymaps as well.

Bug FixesBZ#814 54 1, BZ#814 54 8

Previously, when saving a keymap with a specified name, predefined naming convention wasfollowed and the file name was saved with the "-" prefix without noticing the user. With thisupdate, if the user attempts to save a keymap, a dialog box displaying the required file nameformat appears.

BZ#819795This update provides the complete iok translation for all supported locales.

All users of iok are advised to upgrade to these updated packages, which fix these bugs.

6.89. ipa

6.89.1. RHSA-2013:0528 — Low: ipa security, bug fix and enhancement updateUpdated ipa packages that fix one security issue, several bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.


Red Hat Identity Management is a centralized authentication, identity management and authorization


169





solution for both traditional and cloud-based enterprise environments. It integrates components of theRed Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides webbrowser and command-line interfaces. Its administration tools allow an administrator to quickly install, setup, and administer a group of domain controllers to meet the authentication and identity managementrequirements of large-scale Linux and UNIX deployments.


The ipa packages have been upgraded to upstream version 3.0.0, which provides a number ofbug fixes and enhancements over the previous version. (BZ#827602)

Security Fix

CVE-2012-4 54 6It was found that the current default configuration of IPA servers did not publish correct CRLs(Certificate Revocation Lists). The default configuration specifies that every replica is togenerate its own CRL, however this can result in inconsistencies in the CRL contents providedto clients from different Identity Management replicas. More specifically, if a certificate is revokedon one Identity Management replica, it will not show up on another Identity Management replica.

Bug Fixes

BZ#784 378When a master was removed from a replicated environment via the "ipa-replica-manage del"command, the metadata for that master was still contained in the other servers, thus theDirectory Server replication plug-in produced warnings about the outdated metadata. Now, theDirectory Server CLEANALLRUV task is triggered to handle outdated metadata in the wholereplicated Directory Server environment and deleting an Identity Management replica no longercauses problems.

BZ#790515When the "ipactl" command was used to start Identity Management, it waited only 6 seconds forthe Directory Server to start and when the Directory Server did not start in time, the startprocedure was aborted. A higher default start up wait value was added. A configurable value,"startup_timeout", can be added to /etc/ipa/default.conf or /etc/ipa/server.conf files when thedefault value of 120 seconds is not sufficient to start the Directory Server.

BZ#809565Previously, DNS records could not be renamed and administrators had to re-enter all DNSrecords under certain names when the name changed. Now, rename operations for DNSrecords names and the rename option in the Identity Management CLI interface are able torename a DNS name and all of its records to other names within the same zone.

BZ#811295Before, when installing Identity Management, there was an option to choose a certificate subjectbase with a Common Name (CN) as one component. However, it is illegal to have more thanone CN attribute in a certificate subject. This caused the Identity Management installation to fail.Now, the CN attribute in a subject base option is no longer allowed, administrators are warned


170





when they choose an incorrect certificate subject base and Identity Management installsproperly.

BZ#815837The Identity Management Certificate Authority component did not accept Directory Managerpasswords which were set to a non-ASCII control character, "&" or "\". Use of these charactersin passwords caused a malformed XML error and the Identity Management installation failedwhen such characters were a part of the Directory Manager password. Currently, thesecharacters are not allowed in the Identity Management installer and IdM installs successfully.

BZ#816317The Identity Management server or client used programs from the policycoreutils package whenSELinux was enabled. However, the installers did not check if the package was actuallyinstalled. This caused the Identity Management installation to terminate with a python backtracewhen SELinux was enabled and the policycoreutils package was not installed on a system.Currently, the Identity Management installers no longer fail when SELinux is enabled and thepolicycoreutils package is missing, but, instead, ask the administrator to install it first.

BZ#817865The "ipa" command or Identity Management installers forced a set of address families (IPv4,IPv6) when a network connection was established, instead of letting the system choose theright address family for the new connection. In some cases this caused the connection,command or installer to fail, or the connection to take longer than normal. Automatic addressfamily detection has been implemented and is now respected, with the result that networkconnections established with an "ipa" command are faster and less vulnerable to errorscaused by non-common network settings.

BZ#819629Identity Management DNS modules used a "pull" model for updating DNS records provisionedto the BIND name server by a bind-dyndb-ldap plug-in. When a DNS zone LDAP entry or DNSrecords present in bind-dyndb-ldap cache were changed via Identity Management CLI or WebUI, the update was not provisioned to the BIND nameserver until a zone was checked with aperiodic poll or the DNS record in the cache expired. Now, persistent search is enabled bydefault for new Identity Management installations and for running Identity Management serverinstances. A change to the DNS zone LDAP entry or to the DNS record that is already cachedby bind-dydnb-ldap is instantly provisioned to the BIND name server and thus resolvable.

BZ#820003The default value of the Directory Server in-memory entry cache was configured to a lowervalue than the size of an administrator's deployment, which caused the Directory Server tounderperform. Now, the Identity Management package requires an updated version of theDirectory Server, which warns administrators when the in-memory cache is too small and allowsadministrators to adjust the value appropriate to ratio of deployment.

BZ#822608When users were migrated from the remote Directory Server, entries in the Identity ManagementDirectory Server did not have complete Kerberos data needed for Kerberos authentication, eventhough the users passed the Identity Management password migration page. The migratedIdentity Management user was not able to authenticate via Identity Management until the


171




password was manually reset. Currently, the Kerberos authentication data generates properlyduring the migration process and users can successfully access Identity Management.

BZ#824 4 88The Identity Management Kerberos data back end did not support an option to controlautomatic user log-on attributes, which were updated with every authentication. Administratorswith large deployments and high numbers of authentication events in their Identity Managementrealm could not disable these automatic updates to avoid numerous Directory Servermodification and replication events. Now, users can utilize options in Identity Management tocustomize automatic Kerberos authentication attribute updates.

BZ#824 4 90Previously, Identity Management enforced lowercase letters for all user IDs which caused someoperations, such as password changes, to fail when the user ID was uppercase. Also, theWinSync agreement with Active Directory replicated such user information into the IdentityManagement database. Currently, the Identity Management WinSync plug-in can convert usernames and Kerberos principal user parts to lowercase, and passwords replicated from ActiveDirectory via the Winsync agreement can now be changed.

BZ#826677When Identity Management replicas were deleted using the "ipa-replica-manage" command, thescript did not verify if the deletion would orphan other Identity Management replicas. Usersunaware of the Identity Management replication graph structure might accidentally delete areplica forcing them to reinstall the orphaned replicas. Now, the "ipa-replica-manage" commandwill not allow users to delete a remote replica if such operation would orphan a replica with areplication agreement.

BZ#83224 3Identity Management Web UI was not fully compatible with the Microsoft Internet Explorerbrowser, which caused glitches when working with the Identity Management administrationinterface. Identity Management Web UI is now compatible with Microsoft Internet Explorerversions 9 or later and glitches no longer occur when working with the Web UI.

BZ#837356Several attributes in the Identity Manager Directory Server that are used to store links to otherobjects in the directory were not added to the Directory Server Referential Integrity plug-inconfiguration. When a referred object was deleted or renamed it caused some links to break inthe affected attribute and made them point to an invalid object. This update adds all attributesstoring links to other objects to the Referential Integrity plug-in configuration, which are updatedwhen the referred object is deleted or renamed.

BZ#839008The Identity Management Web UI Administrator interface was not enabled for users who wereindirect members of administrative roles. These users were not able to perform administrativetasks in the Web UI. Presently, indirect members of administrative roles can use the Web UIAdministrator interface and are able to perform administrative tasks within the IdentityManagement Web UI.


172






BZ#84 0657Normally, Identity Management SSH capabilities allow storage of public user or host SSH keys,but the keys did not accept the OpenSSH-style public key format. This caused IdentityManagement to estimate public key type based on the public key blob, which could have causedan issue in the future with new public key types. Now, Identity Management stores SSH publickeys in extended OpenSSH format and SSH public keys now contain all required parts, makingthe functionality acceptable in more deployments.

BZ#855278Previously, Identity Management Web UI used a jQuery library to raise errors when processingDirectory Server records with some strings, for example, sudo commands with the "??" string inthe name, which, in turn, caused the Web UI to be unable to show, modify or add such records.With this jQuery library update, Identity Management Web UI no longer reports errors for thesestrings and processes them normally.

BZ#859968Firefox 15 and newer versions did not allow signed JavaScript JAR files to gain privilegeescalation to change browser configuration. The Identity Management browser autoconfiguration configured the browser to access Web UI through Kerberos authentication, whichaffects these versions of Firefox. Now Identity Management is deployed with its own Firefoxextension and is able to auto configure and authenticate using Kerberos.

BZ#868956The Identity Management "dnszone-add" command accepts the "--name-server" optionspecifying a host name of the primary name server resolving the zone. The option consideredall host names as fully qualified domain names (FQDN) even though they were not FQDN, forexample, name server "ns.example.com." for zone example.com and were relative to the zonename, such as, name server "ns" for zone "example.com." Users were not able to specify thename server in the relative name format when using the Identity Management "dnszone-add"command. Presently, Identity Management detects the name server format correctly and the"dnszone-add" command can process both relative and fully qualified domain names.

BZ#877324After upgrading to Red Hat Identity Management 2.2, it was not possible to add SSH public keysin the Web UI. However, SSH public keys could be added on the command line by running the"ipa user-mod user --sshpubkey" command. This update allows SSH public keys to be added inthe Web UI normally.

BZ#8834 84Previously, the IPA automatic certificate renewal, in some cases, did not function properly andsome certificates were not renewed while other certificates with the same "Not After" valueswere renewed. Certmonger is now updated, users can serialize access to the NSS databasesto prevent corruption and do not have to renew and restart all the services at the same time.

BZ#888956A 389-ds-base variable set during the PKI install "nsslapd-maxbersize" was not dynamicallyinitialized and a restart was required for it to take effect. This caused installation to fail duringthe replication phase when building a replica from a PKI-CA master with a large CRL. Thisupdate includes an LDIF file (/usr/share/pki/ca/conf/database.ldif) to set the default maxbersize


173







to a larger value and allows PKI-CA Replica Installs when CRL exceeds the default maxbervalue.

BZ#891980Previously, on new IPA server installations, the root CA certificate lifetime was only valid for 8years and users had to renew the certificate after it expired, which caused some inconvenience.This issue was fixed in Dogtag and this update increases the FreeIPA root CA validity to 20years.

BZ#894 131The "ipa-replica-install" command sometimes failed to add the idnsSOAserial attribute for a newzone and in some cases, zones were added, but with missing data and did not replicate back tothe master. With this update, the idnsSOAserial attribute sets properly and synchronizesacross all servers and zones are added correctly.

BZ#894 14 3The "ipa-replica-prepare" command failed when a reverse zone did not have SOA serial dataand reported a traceback error, which was difficult to read, when the problem occurred. Now, the"ipa-replica-prepare" command functions properly and if SOA serial data is missing, returns amore concise error message.

BZ#895298When either dirsrv or krb5kdc were down, the "service named restart" command in the ipa-upgradeconfig failed during the upgrade of the ipa packages. With this update, the "servicenamed restart" command functions normally and installation no longer fails during upgrades.

BZ#895561Previously, the IPA install on a server with no IPv4 address failed with a "Can't contact LDAPserver" error. With this update, both the server and replica install correctly and error messagesno longer occur.

BZ#903758Users who upgraded from IPA version 2.2 to version 3.0 encountered certmonger errors andthe update failed with the error message, "certmonger failed to start tracking certificate." Withthis update, IPA 2.2 properly upgrades to version 3.0 without any errors.

BZ#905594Before, users were unable to install the ipa-server-trust-ad package on a 32-bit platform andwhen doing so received the error message "Unable to read consumer identity." This updateprovides fixes in the spec file, and the package now installs properly on 32-bit platforms.

Enhancements

BZ#766007This update introduces SELinux User Mapping rules which can be used in Identity Managementin conjunction with HBAC rules to define the users, groups and hosts to which the rules apply.


174








BZ#766068Support for SSH public key management added to the IPA server and OpenSSH on IPA clientsis automatically configured to use the public keys stored on the IPA server. Now, when a hostenrolled in Identity Management connects to another enrolled host, the SSH public key isverified in the central Identity Management storage.

BZ#766179The Cross Realm Kerberos Trust functionality provided by Identity Management is included asa Technology Preview. This feature allows users to create a trust relationship between anIdentity Management and an Active Directory domain. Users from the Active Directory domaincan access resources and services from the Identity Management domain with their ADcredentials and data does not need to be synchronized between the Identity Management andActive Directory domain controllers.

BZ#767379An automated solution to configure automount on clients for automount maps configured in thecentral Identity Management server was added. After an Identity Management client has beenconfigured, administrators may use the provided ipa-client-automount script to configure clienthosts to use automount maps configured in the Identity Management server.

BZ#782981Users using the Identity Management Web UI were previously forced to log in to client machinesenrolled in Identity Management in order to update a password that had expired or been reset.With this update, users are able to more conveniently change an expired or reset passwordfrom the Web UI itself.

BZ#783166This update allows the ipa-client-install interface to accept prioritization of IPA servers thatclients connect to. Previously, administrators could not configure a prioritized IPA server thatSSSD should connect to before connecting to other servers which were potentially returned in aSRV DNS query. Now, when a new option "--fixed-primary" is passed to the "ipa-client-install"command, the discovered or user-provided server is configured as the first value in theipa_server directive in the "/etc/sssd/sssd.conf" file. Thus, SSSD will always try to connect tothis host first.

BZ#783274This enchancement allows MAC address attributes for host entries in Identity Management andpublishes them in the Identity Management NIS server. Users can utilize the "--macaddress"option to configure MAC addresses for an Identity Management host entry and, when NIS isenabled, MAC address can be read by an ethers map.

BZ#786199Each ipa command line request previously required full and time-consuming Kerberosauthentication, particularly when a series of commands were scripted. This update enhancesthe command line to take advantage of server-side sessions using a secure cookie, whichprovides a significant performance improvement due to avoidance of full Kerberosauthentication for each ipa command. The session cookie is stored in the session keyring; referto the keyctl(1) man page for more information about the key management facility.


175




BZ#798363This update introduces Web UI and CLI "Create Password Policy" entry labels and specifiesmeasurement units, for example, "seconds" for all configured policy fields. Previously, missingmeasurement units in the Identity Management Web UI or CLI "Create Password Policy" mighthave confused some users. Now, all missing measurement units are specified in configuredpolicy fields.

BZ#801931This update allows administrators to delegate write privileges to a selected zone only, whereas,when administrators wanted to delegate privileges to update the DNS zone to other IdentityManagement users, they had to allow write access to the entire DNS tree. Now, administratorscan use the "dnszone-add-permission" command to create a system permission allowing itsassignee to read and write only a selected DNS zone managed by Identity Management.

BZ#804 619Prior to this update, administrators could not configure a slave DNS server because it could notfunction properly unless an SOA serial number was changed every time a DNS record waschanged. With this update, SOA serial numbers are automatically increased when a record in aDNS zone managed by Identity Management is updated. This feature takes advantage of andrequires the persistent search data refresh mechanism, which is enabled by default in theIdentity Management server install script. Administrators can now configure a slave DNS serverfor zones managed by Identity Management.

BZ#805233This update prevents deletion of the last administrator, because administrators couldaccidentally delete the last user from the Identity Management Administrators group, whichcould only be repaired with direct LDAP modification by the Directory Manager. Now, IdentityManagement does not allow administrators to delete or disable the last member in theadministrator group and Identity Management always has at least one active administrator.

BZ#8134 02This enhancement warns users in the Identity Management Web UI when their password isabout to expire. When the Identity Management user password is about to expire in aconfigurable number of days, the user is notified in the Identity Management Web UI about thisand is offered a link to reset the password.

BZ#8214 4 8The Identity Management Firefox browser configuration script now checks if the browser isconfigured to send Referrer header in HTTP requests for Identity Management. Previously,Firefox browsers which did not have the "network.http.sendRefererHeader" configuration optionset to "True" would fail to connect to the Identity Management Web UI, even though they ran theconfiguration script. Presently, the configuration option is set correctly and the Firefox browsercan connect to the Web UI.

BZ#831010This enhancement allows Identity Management client installer to accept a fixed set of IdentityManagement servers and circumvent automatic server discovery via DNS SRV records. Some


176








network environments may contain SRV records which are not suitable for Identity Managementclient and should not be used by the client at all. The "--fixed-primary" option of ipa-client-installcan now be used to configure SSSD to not use DNS SRV records to auto-discover IdentityManagement servers and the client install script now accepts a fixed list of Identity Managementservers which is then passed to SSSD.

BZ#83564 3This update introduces an auto-renew of Identity Management Subsystem Certificates. Thedefault validity period for a new Certificate Authority is 10 years and the CA issues a number ofcertificates for its subsystems (OCSP, audit log, and others). Subsystem certificates arenormally valid for two years and if the certificates expire, the CA does not start up or does notfunction properly. Therefore, in Red Hat Enterprise Linux 6.4, Identity Management servers arecapable of automatically renewing their subsystem certificates and the subsystem certificatesare tracked by certmonger, which automatically attempts to renew the certificates before theyexpire.

Users of ipa are advised to upgrade to these updated packages, which address this security issue, fixthese bugs and add these enhancements.

6.90. iproute

6.90.1. RHBA-2013:0417 — iproute bug fix and enhancement updateUpdated iproute packages that fix one bug and add one enhancement are now available for Red HatEnterprise Linux 6.

The iproute packages contain networking utilities (ip and rtmon, for example) which are designed to usethe advanced networking capabilities of the Linux kernel.

Bug Fix

BZ#811219Invoking the socket stat utility, ss, with the "-ul" arguments did not list open UDP sockets.Consequently, users could not list open or listening UPD sockets. A patch has been applied tothe ss utility to list UDP sockets and now the utility correctly reports all open UDP sockets.

Enhancement

BZ#821106The iproute packages were distributed without the libnetlink library for accessing the netlinkservice. Consequently, it was not possible for users to utilize the libnetlink library features. Thelibnetlink library is now included in the newly introduced "iproute-devel" subpackage. As aresult, users can now utilize libnetlink features.

All users of iproute are advised to upgrade to these updated packages, which fix this bug and add thisenhancement.


177




6.91. iprutils

6.91.1. RHBA-2013:0378 — iprutils bug fix and enhancement updateAn updated iprutils package that fixes several bugs and adds various enhancements is now availablefor Red Hat Enterprise Linux 6.

The iprutils package provides utilities to manage and configure SCSI devices that are supported by theIBM Power RAID SCSI storage device driver.


The iprutils package has been upgraded to upstream version 2.3.12, which provides a number ofbug fixes and enhancements over the previous version and adds support for thesuspend/resume utility for IBM BlueHawk. (BZ#822648, BZ#860532, BZ#829761)

Bug Fixes

BZ#826907Previously, showing disk details caused the iprconfig utility, which is used to configureHardware RAID devices, to terminate unexpectedly. Now, disk details are shown properly andiprconfig no longer crashes.

BZ#830982Previously, in some situations, iprconfig failed to change the IOA asymmetric access mode if thesaved mode in the configuration file located in the "/etc/ipr/" directory was different than thecurrent mode. With this update, iprconfig sets the mode correctly and a warning message isreturned when this inconsistency is detected.

BZ#869751Previously, iprutils showed the wrong disk platform location within the system location stringwhen the "iprconfig -c show-details sgx" command was used. Now, the platform location for thehard disk is combined with the location of "secured easy setup" (SES) and the physical locationslot number which prevents this error from occurring.

Users of iprutils are advised to upgrade to this updated package, which fixes these bugs.

6.92. iptables

6.92.1. RHBA-2013:0332 — iptables bug fix and enhancement updateUpdated iptables packages that fix several bugs and add two enhancements are now available for RedHat Enterprise Linux 6.

The iptables utility controls the network packet filtering code in the Linux kernel.

Bug Fixes

BZ#800208


178





The sysctl values for certain netfilter kernel modules, such as nf_conntrack and xt_conntrack,were not restored after a firewall restart. Consequently, the firewall did not always perform asexpected after a restart. This update allows iptables to load sysctl settings on start if specifiedby the user in the /etc/sysctl.conf file. Users can now define sysctl settings to load on start andrestart.

BZ#809108The iptables(8) and ip6tables(8) man pages were previously missing information about theAUDIT target module, which allows creating audit records of the packet flow. This update addsthe missing description of the audit support to these man pages.

BZ#8214 4 1The iptables and ip6tables commands did not correctly handle calculation of the maximumlength of iptables chains. Consequently, when assigning a firewall rule to an iptables chain witha name longer than 28 characters, the iptables or ip6tables command terminated with a bufferoverflow and the rule was not assigned. This update corrects the related code so that iptablesand ip6tables now handle names of iptable chains correctly and a firewall rule is assigned inthe described scenario as expected.

BZ#836286The iptables init script calls the /sbin/restorecon binary when saving firewall rules so that theiptables packages depend on the policycoreutils packages. However, the iptables packagespreviously did not require the policycoreutils as a dependency. Consequently, the"/etc/init.d/iptables save" command failed if the policycoreutils packages were not installed onthe system. This update modifies the iptables spec file to require the policycoreutils packagesas its prerequisite and thus prevents this problem from occurring.

Enhancements

BZ#74 7068The iptables packages has been modified to support the update-alternatives mechanism toallow easier delivery of new iptables versions for the MRG Realtime kernel.

BZ#808272Fallback mode has been added for the iptables and ip6tables services. A fallback firewallconfiguration can be stored in the /etc/sysconfig/iptables.fallback and/etc/sysconfig/ip6tables.fallback files in the iptables-save file format. The firewall rules from thefallback file are used if the service fails to apply the firewall rules from the/etc/sysconfig/iptables file (or the /etc/sysconfig/ip6tables file in case of ip6tables).

All users of iptables are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.93. irqbalance

6.93.1. RHBA-2013:0367 — irqbalance bug fix and enhancement update


179




Updated irqbalance packages that fix multiple bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The irqbalance packages provide a daemon that evenly distributes interrupt request (IRQ) load acrossmultiple CPUs for enhanced performance.


The irqbalance packages have been upgraded to upstream version 1.0.4, which provides anumber of bug fixes and enhancements over the previous version. Among other changes, theirqbalance daemon has been enhanced to support multiple MSI-X interrupts for PCI devices,which significantly boosts speed of devices producing high-rate interrupts, such as networkcards. Also, the irqbalance logic has been modified to consider PCI bus topology when makingIRQ mapping decisions. (BZ#789946)

Bug Fixes

BZ#813078The irqbalance(1) man page did not contain documentation for theIRQBALANCE_BANNED_CPUS environment variable. This update adds the extensivedocumentation to this man page.

BZ#84 3379The irqbalance daemon assigns each interrupt source in the system to a "class", whichrepresents the type of the device (for example Networking, Storage or Media). Previously,irqbalance used the IRQ handler names from the /proc/interrupts file to decide the source class,which caused irqbalance to not recognize network interrupts correctly. As a consequence,systems that use NIC biosdevnames did not have their hardware interrupts distributed andpinned as expected. With this update, the device classification mechanism has been improved,which ensures a better interrupts distribution.

BZ#860627Previously, the irqbalance init script started the irqbalance daemon with the "--foreground"option, which caused irqbalance to become unresponsive. With this update, the "--foreground"option has been removed from the init script and irqbalance now starts as expected.

All users of irqbalance are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.94. irssi

6.94.1. RHBA-2012:1171 — irssi bug fix updateUpdated irssi packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

Irssi is a modular IRC client with Perl scripting. Only the text-mode front end is currently supported.

Bug FixBZ#639258


180





Prior to this update, when the user attempted to use the "/unload" command to unload a staticmodule, Irssi incorrectly marked this module as unavailable, rendering the user unable to loadthis module again without restarting the client. This update adapts the underlying source codeto ensure that only dynamic modules can be unloaded.

BZ#84 504 7The previous version of the irssi(1) manual page documented "--usage" as a valid commandline option. This was incorrect, because Irssi no longer supports this option and an attempt touse it causes it to fail with an error. With this update, the manual page has been corrected andno longer documents unsupported command line options.

All users of irssi are advised to upgrade to these updated packages, which fix these bugs.

6.95. iscsi-initiator-utils

6.95.1. RHBA-2013:0438 — iscsi-initiator-utils bug fix and enhancement updateUpdated iscsi-initiator-utils packages that fix multiple bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The iscsi-initiator-utils packages provide the server daemon for the Internet Small Computer SystemInterface (iSCSI) protocol, as well as the utility programs used to manage it. iSCSI is a protocol fordistributed disk access using SCSI commands sent over Internet Protocol (IP) networks.


The iSCSI user-space driver, iscsiuio, has been upgraded to upstream version 0.7.6.1, whichprovides a number of bug fixes and enhancements over the previous version. In particular, VLANand routing support. (BZ#826300)

Bug Fixes

BZ#826300The iSCSI user-space driver, iscsiuio, has been upgraded to upstream version 0.7.6.1, whichprovides a number of bug fixes and enhancements over the previous version. In particular,VLAN and routing support.

BZ#8114 28The "iscsiadm --version" command was missing the main version number, the leading "6.". Thisupdate corrects the version number value and "iscsiadm --version" now shows the mainversion number correctly.

BZ#854 776For some bnx2i cards, the network interface must be active for the iSCSI interface to report avalid MAC address. This sometimes lead to a failure to connect to an iSCSI target andconsequently, iSCSI root setups failing to boot. This update changes iscsistart to put thenetwork interface associated with the iSCSI context into an active state. As a result, iSCSI bootwith bnx2i cards now works correctly.


181





BZ#868305Due to a regression in the iscsiuio 0.7.4.3 update, iSCSI discovery and login failed on certainhardware. This has been corrected as part of the iscsiuio 0.7.6.1 update. As a result, iSCSI isfunctional again.

All users of iscsi-initiator-utils are advised to upgrade to these updated packages, which fix these bugsand add these enhancements.

6.96. jss

6.96.1. RHBA-2013:0424 — jss bug fix and enhancement updateUpdated jss packages that fix one bug and add one enhancement are now available for Red HatEnterprise Linux 6.

Java Security Services (JSS) provides an interface between Java Virtual Machine and Network SecurityServices (NSS). It supports most of the security standards and encryption technologies supported byNSS including communication through SSL/TLS network protocols. JSS is primarily utilized by theCertificate Server.

Bug Fix

BZ#797352Previously, some JSS calls to certain NSS functions were to be replaced with calls to the JCAinterface. The original JSS calls were therefore deprecated and as such caused warnings to bereported during refactoring. However, the deprecated calls have not been fully replaced withtheir JCA-based implementation in JSS 4.2. With this update, the calls are now no longerdeprecated and the warnings now longer occur.

Enhancement

BZ#804 838This update adds support for Elliptic Curve Cryptography (ECC) key archival in JSS. It providesnew methods, such as getCurve(),Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid() andgetECCurveBytesByX509PublicKeyBytes().

All users of jss are advised to upgrade to these updated packages, which fix this bug and add thisenhancement.

6.97. kabi-whitelists

6.97.1. RHEA-2013:0485 — kabi-whitelists enhancement updateUpdated kabi-whitelists packages that add various enhancements are now available for Red HatEnterprise Linux 6.


182




The kabi-whitelists packages contain reference files documenting interfaces provided by the Red HatEnterprise Linux 6 kernel that are considered to be stable by Red Hat engineering, and safe for long-term use by third-party loadable device drivers, as well as for other purposes.

Enhancements

BZ#826795The "blk_queue_physical_block_size", "close_bdev_exclusive", "filemap_fdatawrite_range","get_sb_nodev", "kill_anon_super", "open_bdev_exclusive", "jiffies_to_timespec","kernel_getsockopt", "kernel_setsockopt", "radix_tree_delete", "pagevec_lookup","recalc_sigpending", "path_put", and "simple_write_end" symbols have been added to thekernel application binary interface (ABI) whitelists.

BZ#83124 7The "unlock_rename", "vfs_rename", "path_put", "default_llseek", "d_find_alias","d_invalidate", "file_fsync", "strspn", "vfs_writev", "path_get", "nobh_truncate_page","nobh_write_begin", "nobh_write_end", "nobh_writepage", "____pagevec_lru_add","add_to_page_cache_locked", and "filemap_flush" symbols have been added to the kernel ABIwhitelists.

BZ#902825The "__generic_file_aio_write", "blk_queue_resize_tags", and"blk_queue_segment_boundary" symbols have been added to the kernel ABI whitelists.

BZ#84 9732The following symbols have been added to the kernel ABI whitelists: "__alloc_pages","__bitmap_weight", "__down_failed", "__free_pages", "__init_rwsem","__init_waitqueue_head", "__kmalloc", "__memcpy", "__put_cred", "__raw_local_save_flags","__stack_chk_fail", "__tasklet_schedule", "__tracepoint_kmalloc", "__up_wakeup", "__vmalloc","__wake_up", "_cond_resched", "_spin_lock", "_spin_lock_irqsave", "_spin_unlock_irqrestore","add_disk", "alloc_disk", "alloc_pages_current", "allow_signal", "autoremove_wake_function","bio_endio", "bio_init", "bio_put", "blk_alloc_queue", "blk_cleanup_queue","blk_queue_hardsect_size", "blk_queue_logical_block_size", "blk_queue_make_request","blkdev_put", "complete", "complete_and_exit", "cond_resched", "contig_page_data","copy_from_user", "copy_to_user", "cpu_present_map", "cpu_present_mask","create_proc_entry", "daemonize", "del_gendisk", "do_gettimeofday", "down", "down_read","down_read_trylock", "down_write", "down_write_trylock", "dump_stack", "filp_close","filp_open", "finish_wait", "get_user_pages", "init_waitqueue_head", "jiffies", "jiffies_to_msecs","jiffies_to_timeval", "kernel_thread", "kfree", "kmem_cache_alloc","kmem_cache_alloc_notrace", "kmem_cache_create", "kmem_cache_destroy","kmem_cache_free", "malloc_sizes", "mcount", "mem_map", "mem_section", "memcpy","memset", "mod_timer", "msecs_to_jiffies", "msleep", "msleep_interruptible","open_by_devnum", "override_creds", "panic", "per_cpu__current_task","per_cpu__kernel_stack", "prepare_creds", "prepare_to_wait", "printk", "proc_mkdir","put_disk", "put_page", "pv_irq_ops", "register_blkdev", "remove_proc_entry", "revert_creds","schedule", "schedule_timeout", "send_sig", "set_user_nice", "sigprocmask","slab_buffer_size", "snprintf", "sprintf", "strchr", "strcpy", "strncmp", "strncpy", "strnicmp","strspn", "strstr", "submit_bio", "tasklet_init", "unregister_blkdev", "up", "up_read", "up_write","vfree", "vfs_writev", "vscnprintf", and "wait_for_completion".

BZ#864 893


183


The following symbols have been added to the kernel ABI whitelists: "blkdev_get","send_sig_info", "__task_pid_nr_ns", "register_shrinker", "set_page_dirty_lock","current_umask", "balance_dirty_pages_ratelimited_nr", "dentry_open","generic_file_llseek_unlocked", "posix_acl_alloc", "posix_acl_from_xattr", "posix_acl_to_xattr","posix_acl_valid", "read_cache_pages", "cancel_dirty_page", "clear_page","grab_cache_page_nowait", "inode_init_always", "memparse", "put_unused_fd","radix_tree_tag_set", "congestion_wait", "shrink_dcache_sb", "fd_install", "blk_make_request","lookup_bdev", "__register_binfmt", "unregister_binfmt", "vm_stat", "kill_pid", and "kobject_get".

BZ#869353A kernel checker tool (KSC) has been added to the kabi-whitelists packages.

Users of kabi-whitelists are advised to upgrade to these updated packages, which add theseenhancements.

6.98. kdebase

6.98.1. RHBA-2012:1371 — kdebase bug fix updateUpdated kdebase packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The K Desktop Environment (KDE) is a graphical desktop environment for the X Window System. Thekdebase packages include core applications for KDE.

Bug Fixes

BZ#608007Prior to this update, the Konsole context menu item "Show menu bar" was always checked innew windows even if this menu item was disabled before. This update modifies the underlyingcode to handle the menu item "Show menu bar" as expected.

BZ#729307Prior to this update, users could not define a default size for xterm windows when using theKonsole terminal in KDE. This update modifies the underlying code and adds the functionality todefine a default size.

All users of kdebase are advised to upgrade to these updated packages, which fix these bugs.

6.99. kdebase-workspace

6.99.1. RHBA-2012:1286 — kdebase-workspace bug fix updateUpdated kdebase-workspace packages that fix one bug are now available for Red Hat Enterprise Linux6.

The kdebase-workspace packages contain utilities for basic operations with the desktop environment.The utilities allow users for example, to change system settings, resize and rotate X screens or setpanels and widgets on the workspace.


184




Bug FixBZ#74 94 60

Prior to this update, the task manager did not honor the order of manually arranged items. As aconsequence, manually arranged taskbar entries were randomly rearranged when the userswitched desktops. This update modifies the underlying code to make manually arranged itemsmore persistent.

All users of kdebase-workspace are advised to upgrade to these updated packages, which fix this bug.

6.100. kdelibs3

6.100.1. RHBA-2012:1244 — kdelibs3 bug fix updateUpdated kdelibs3 packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The kdelibs3 packages provide libraries for the K Desktop Environment (KDE).

Bug FixesBZ#681901

Prior to this update, the kdelibs3 libraries caused a conflict for the subversion version controltool. As a consequence, subvervision was not correctly built if the kdelibs3 libraries wereinstalled. This update modifies the underlying code to avoid this conflict. Now, subversion buildsas expected with kdelibs3.

BZ#734 4 4 7kdelibs3 provided its own set of trusted Certificate Authority (CA) certificates. This updatemakes kdelibs3 use the system set from the ca-certificates package, instead of its own copy.

All users of kdelibs3 are advised to upgrade to these updated packages, which fix these bugs.

6.101. kdelibs

6.101.1. RHBA-2012:1251 — kdelibs bug fix updateUpdated kdelibs packages that fix various bugs are now available for Red Hat Enterprise Linux 6.

The kdelibs packages provide libraries for the K Desktop Environment (KDE).

Bug FixesBZ#587016

Prior to this update, the KDE Print dialog did not remember previous settings, nor did it allow theuser to save the settings. Consequent to this, when printing several documents, users wereforced to manually change settings for each printed document. With this update, the KDE Printdialog retains previous settings as expected.

BZ#682611When the system was configured to use the Traditional Chinese language (the zh_TW locale),


185







Konqueror incorrectly used a Chinese (zh_CN) version of its splash page. This updateensures that Konqueror uses the correct locale.

BZ#734 734Previously, clicking the system tray to display hidden icons could cause the PlasmaWorkspaces to consume an excessive amount of CPU time. This update applies a patch thatfixes this error.

BZ#754 161When using Konqueror to recursively copy files and directories, if one of the subdirectories wasnot accessible, no warning or error message was reported to the user. This update ensuresthat Konqueror displays a proper warning message in this scenario.

BZ#826114Prior to this update, an attempt to add "Terminal Emulator" to the Main Toolbar causedKonqueror to terminate unexpectedly with a segmentation fault. With this update, the underlyingsource code has been corrected to prevent this error so that users can now use thisfunctionality as expected.

All users of kdelibs are advised to upgrade to these updated packages, which fix these bugs.

6.101.2. RHSA-2012:1418 — Critical: kdelibs security updateUpdated kdelibs packages that fix two security issues are now available for Red Hat Enterprise Linux 6FasTrack.

The Red Hat Security Response Team has rated this update as having critical security impact. CommonVulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available foreach vulnerability from the CVE link(s) associated with each description below.

The kdelibs packages provide libraries for the K Desktop Environment (KDE). Konqueror is a webbrowser.

CVE-2012-4 512A heap-based buffer overflow flaw was found in the way the CSS (Cascading Style Sheets)parser in kdelibs parsed the location of the source for font faces. A web page containingmalicious content could cause an application using kdelibs (such as Konqueror) to crash or,potentially, execute arbitrary code with the privileges of the user running the application.

CVE-2012-4 513A heap-based buffer over-read flaw was found in the way kdelibs calculated canvas dimensionsfor large images. A web page containing malicious content could cause an application usingkdelibs to crash or disclose portions of its memory.

Users should upgrade to these updated packages, which contain backported patches to correct theseissues. The desktop must be restarted (log out, then log back in) for this update to take effect.


186


https://www.redhat.com/security/data/cve/CVE-2012-4512.html

https://www.redhat.com/security/data/cve/CVE-2012-4513.html

6.102. kdepim

6.102.1. RHBA-2012:1287 — kdepim bug fix updateUpdated kdepim packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The KDE Personal Information Management (kdepim) suite helps to organize your mail, tasks,appointments, and contacts.

Bug FixBZ#811125

Prior to this update, the cyrus-sasl-plain package was not a dependency of the kdepimpackage. As a consequence, Kmail failed to send mail. This update modifies the underlyingcode to include the cyrus-sasl-plain dependency.

All users of kdepim are advised to upgrade to these updated packages, which fix this bug.

6.103. kernel

6.103.1. RHSA-2013:1173 — Important: kernel security and bug fix updateUpdated kernel packages that fix several security issues and bugs are now available for Red HatEnterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact.Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, areavailable for each vulnerability from the CVE links associated with each description below.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2013-2206, ImportantA flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP)implementation handled duplicate cookies. If a local user queried SCTP connection informationat the same time a remote attacker has initialized a crafted SCTP connection to the system, itcould trigger a NULL pointer dereference, causing the system to crash.

CVE-2013-2224 , ImportantIt was found that the fix for CVE-2012-3552 released via RHSA-2012:1304 introduced aninvalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivilegeduser could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them tocause a denial of service or, potentially, escalate their privileges on the system.

CVE-2013-214 6, ModerateA flaw was found in the Linux kernel's Performance Events implementation. On systems withcertain Intel processors, a local, unprivileged user could use this flaw to cause a denial ofservice by leveraging the perf subsystem to write into the reserved bits of theOFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific registers.


187







CVE-2013-2232, ModerateAn invalid pointer dereference flaw was found in the Linux kernel'sTCP/IP protocol suiteimplementation. A local, unprivileged user could use this flaw to crash the system or, potentially,escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to anIPv4 destination.

CVE-2012-654 4 , LowInformation leak flaws in the Linux kernel's Bluetooth implementation could allow a local,unprivileged user to leak kernel memory to user-space.

CVE-2013-2237, LowAn information leak flaw in the Linux kernel could allow a privileged, local user to leak kernelmemory to user-space.

Bug Fixes

BZ#956054The kernel could rarely terminate instead of creating a dump file when a multi-threaded processusing FPU aborted. This happened because the kernel did not wait until all threads becameinactive and attempted to dump the FPU state of active threads into memory which triggered aBUG_ON() routine. A patch addressing this problem has been applied and the kernel now waitsfor the threads to become inactive before dumping their FPU state into memory.

BZ#959930Due to the way the CPU time was calculated, an integer multiplication overflow bug could occurafter several days of running CPU bound processes that were using hundreds of kernelthreads. As a consequence, the kernel stopped updating the CPU time and provided anincorrect CPU time instead. This could confuse users and lead to various application problems.This update applies a patch fixing this problem by decreasing the precision of calculationswhen the stime and rtime values become too large. Also, a bug allowing stime values to besometimes erroneously calculated as utime values has been fixed.

BZ#963557Due to several bugs in the ext4 code, data integrity system calls did not always properly persistdata on the disk. Therefore, the unsynchronized data in the ext4 file system could have beenlost after the system's unexpected termination. A series of patches has been applied to theext4 code to address this problem, including a fix that ensures proper usage of data barriers inthe code responsible for file synchronization. Data loss no longer occurs in the describedsituation.

BZ#974 597A previous patch that modified dcache and autofs code caused a regression. Due to thisregression, unmounting a large number of expired automounts on a system under heavy NFSload caused soft lockups, rendering the system unresponsive. If a "soft lockup" watchdog wasconfigured, the machine rebooted. To fix the regression, the erroneous patch has beenreverted and the system now handle the aforementioned scenario properly without any softlockups.


188




BZ#975576A system could become unresponsive due to an attempt to shut down an XFS file system thatwas waiting for log I/O completion. A patch to the XFS code has been applied that allows for theshutdown method to be called from different contexts so XFS log items can be deleted properlyeven outside the AIL, which fixes this problem.

BZ#975578XFS file systems were occasionally shut down with the "xfs_trans_ail_delete_bulk: attempting todelete a log item that is not in the AIL" error message. This happened because the EFI/EFDhandling logic was incorrect and the EFI log item could have been freed before it was placed inthe AIL and committed. A patch has been applied to the XFS code fixing the EFI/EFD handlinglogic and ensuring that the EFI log items are never freed before the EFD log items areprocessed. The aforementioned error no longer occurs on an XFS shutdown.

BZ#977668A race condition between the read_swap_cache_async() and get_swap_page() functions in thememory management (mm) code could lead to a deadlock situation. The deadlock could occuronly on systems that deployed swap partitions on devices supporting block DISCARD and TRIMoperations if kernel preemption was disabled (the !CONFIG_PREEMPT parameter). If theread_swap_cache_async() function was given a SWAP_HAS_CACHE entry that did not have apage in the swap cache yet, a DISCARD operation was performed in the scan_swap_map()function. Consequently, completion of an I/O operation was scheduled on the same CPU'sworking queue the read_swap_cache_async() was running on. This caused the thread inread_swap_cache_async() to loop indefinitely around its "-EEXIST" case, rendering the systemunresponsive. The problem has been fixed by adding an explicit cond_resched() call toread_swap_cache_async(), which allows other tasks to run on the affected CPU, and thusavoiding the deadlock.

BZ#977680, BZ#989923A previous change in the port auto-selection code allowed sharing ports with no conflictsextending its usage. Consequently, when binding a socket with the SO_REUSEADDR socketoption enabled, the bind(2) function could allocate an ephemeral port that was already used. Asubsequent connection attempt failed in such a case with the EADDRNOTAVAIL error code.This update applies a patch that modifies the port auto-selection code so that bind(2) nowselects a non-conflict port even with the SO_REUSEADDR option enabled.

BZ#979293Cyclic adding and removing of the st kernel module could previously cause a system to becomeunresponsive. This was caused by a disk queue reference count bug in the SCSI tape driver.An upstream patch addressing this bug has been backported to the SCSI tape driver and thesystem now responds as expected in this situation.

BZ#979912On KVM guests with the KVM clock (kvmclock) as a clock source and with some VCPUs pinned,certain VCPUs could experience significant sleep delays (elapsed time was greater 20seconds). This resulted in unexpected delays by sleeping functions and inaccuratemeasurement for low latency events. The problem happened because a kvmclock update wasisolated to a certain VCPU so the NTP frequency correction applied only to that single VCPU.This problem has been resolved by a patch allowing kvmclock updates to all VCPUs on the


189

KVM guest. VCPU sleep time now does not exceed the expected amount and no longer causesthe aforementioned problems.

BZ#981177When using applications that intensively utilized memory mapping, customers experiencedsignificant application latency, which led to serious performance degradation. A series ofpatches has been applied to fix the problem. Among other, the patches modifies the memorymapping code to allow block devices to require stable page writes, enforce stable page writesonly if required by a backing device, and optionally snapshot page content to provide stablepages during write. As a result, application latency has been improved by a considerableamount and applications with high demand of memory mapping now perform as expected.

BZ#982116The bnx2x driver could have previously reported an occasional MDC/MDIO timeout error alongwith the loss of the link connection. This could happen in environments using an older bootcode because the MDIO clock was set in the beginning of each boot code sequence instead ofper CL45 command. To avoid this problem, the bnx2x driver now sets the MDIO clock per CL45command. Additionally, the MDIO clock is now implemented per EMAC register instead of perport number, which prevents ports from using different EMAC addresses for different PHYaccesses. Also, a boot code or Management Firmware (MFW) upgrade is required to preventthe boot code (firmware) from taking over link ownership if the driver's pulse is delayed. TheBCM57711 card requires boot code version 6.2.24 or later, and the BCM57712/578xx cardsrequire MFW version 7.4.22 or later.

BZ#9824 72If the Audit queue is too long, the kernel schedules the kauditd daemon to alleviate the load onthe Audit queue. Previously, if the current Audit process had any pending signals in such asituation, it entered a busy-wait loop for the duration of an Audit backlog timeout because thewait_for_auditd() function was called as an interruptible task. This could lead to system lockupin non-preemptive uniprocessor systems. This update fixes the problem by settingwait_for_auditd() as uninterruptible.

BZ#9824 96A possible race in the tty layer could result in a kernel panic after triggering the BUG_ON()macro. As a workaround, the BUG_ON() macro has been replaced by the WARN_ON() macro,which allows for avoiding the kernel panic and investigating the race problem further.

BZ#982571A recent change in the memory mapping code introduced a new optional next-fit algorithm forallocating VMAs to map processed files to the address space. This change, however, brokebehavior of a certain internal function which then always followed the next-fit VMA allocationscheme instead of the first-fit VMA allocation scheme. Consequently, when the first-fit VMAallocation scheme was in use, this bug caused linear address space fragmentation and couldlead to early "-ENOMEM" failures for mmap() requests. This patch restores the original first-fitbehavior to the function so the aforementioned problems no longer occur.

BZ#982697When using certain HP hardware with UHCI HDC support and the uhci-hdc driver performed theauto-stop operation, the kernel emitted the "kernel: uhci_hcd 0000:01:00.4: Controller not


190

stopped yet!" warning messages. This happened because HP's virtual UHCI host controllertakes extremely long time to suspend (several hundred microseconds) even with no attachedUSB device and the driver was not adjusted to handle this situation. To avoid this problem, theuhci-hdc driver has been modified to not run the auto-stop operation until the controller issuspended.

BZ#982703A previously released erratum, RHSA-2013:0911, included a patch that added support formemory configurations greater than 1 TB of RAM on AMD systems, and a patch that fixed akernel panic preventing installation of Red Hat Enterprise Linux on such systems. However,these patches broke booting of Red Hat Enterprise Linux 6.4 on the SGI UV platform, andtherefore they have been reverted with this update. Red Hat Enterprise Linux 6.4 now boots onSGI UV as expected.

BZ#982758Due to a bug in descriptor handling, the ioat driver did not correctly process pendingdescriptors on systems with the Intel Xeon Processor E5 family. Consequently, the CPU wasutilized excessively on these systems. A patch has been applied to the ioat driver so the drivernow determines pending descriptors correctly and CPU usage is normal again for the describedprocessor family.

BZ#9904 64A bug in the network bridge code allowed an internal function to call code which was not atomic-safe while holding a spin lock. Consequently, a "BUG: scheduling while atomic" error has beentriggered and a call trace logged by the kernel. This update applies a patch that orders thefunction properly so the function no longer holds a spin lock while calling code which is notatomic-safe. The aforementioned error with a call trace no longer occurs in this case.

BZ#9904 70A race condition in the abort task and SPP device task management path of the isci driver could,under certain circumstances, cause the driver to fail cleaning up timed-out I/O requests thatwere pending on an SAS disk device. As a consequence, the kernel removed such a devicefrom the system. A patch applied to the isci driver fixes this problem by sending the taskmanagement function request to the SAS drive anytime the abort function is entered and thetask has not completed. The driver now cleans up timed-out I/O requests as expected in thissituation.

Users should upgrade to these updated packages, which contain backported patches to correct theseissues. The system must be rebooted for this update to take effect.

6.103.2. RHSA-2013:1051 — Moderate: kernel security and bug fix updateUpdated kernel packages that fix multiple security issues and several bugs are now available for RedHat Enterprise Linux 6.


These packages contain the Linux kernel, the core of any Linux operating system.


191


Security Fixes

CVE-2013-2128, ModerateA flaw was found in the tcp_read_sock() function in the Linux kernel's IPv4 TCP/IP protocolsuite implementation in the way socket buffers (skb) were handled. A local, unprivileged usercould trigger this issue via a call to splice(), leading to a denial of service.

CVE-2012-654 8, CVE-2013-2634 , CVE-2013-2635, CVE-2013-3222, CVE-2013-3224 ,CVE-2013-3225, Low

Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernelmemory to user-space.

CVE-2013-0914 , LowAn information leak was found in the Linux kernel's POSIX signals implementation. A local,unprivileged user could use this flaw to bypass the Address Space Layout Randomization(ASLR) security feature.

CVE-2013-184 8, LowA format string flaw was found in the ext3_msg() function in the Linux kernel's ext3 file systemimplementation. A local user who is able to mount an ext3 file system could use this flaw tocause a denial of service or, potentially, escalate their privileges.

CVE-2013-2852, LowA format string flaw was found in the b43_do_request_fw() function in the Linux kernel's b43driver implementation. A local user who is able to specify the "fwpostfix" b43 module parametercould use this flaw to cause a denial of service or, potentially, escalate their privileges.

CVE-2013-3301, LowA NULL pointer dereference flaw was found in the Linux kernel's ftrace and function tracerimplementations. A local user who has the CAP_SYS_ADMIN capability could use this flaw tocause a denial of service.

Red Hat would like to thank Kees Cook for reporting CVE-2013-2852.

Bug Fixes

BZ#924 84 7An error in backporting the block reservation feature from upstream resulted in a missingallocation of a reservation structure when an allocation is required during the rename systemcall. Renaming a file system object (for example, file or directory) requires a block allocation forthe destination directory. If the destination directory had not had a reservation structureallocated, a NULL pointer dereference occurred, leading to a kernel panic. With this update, areservation structure is allocated before the rename operation, and a kernel panic no longeroccurs in this scenario. This patch also ensures that the inode's multi-block reservation is notdeleted when a file is closed while changing the inode's size.

BZ#927308


192












When an inconsistency is detected in a GFS2 file system after an I/O operation, the kernelperforms the withdraw operation on the local node. However, the kernel previously did not waitfor an acknowledgement from the GFS control daemon (gfs_controld) before proceeding withthe withdraw operation. Therefore, if a failure isolating the GFS2 file system from a data storageoccurred, the kernel was not aware of this problem and an I/O operation to the shared blockdevice may have been performed after the withdraw operation was logged as successful. Thiscould lead to corruption of the file system or prevent the node from journal recovery. This patchmodifies the GFS2 code so the withdraw operation no longer proceeds without theacknowledgement from gfs_controld, and the GFS2 file system can no longer become corruptedafter performing the withdraw operation.

BZ#927317The GFS2 discard code did not calculate the sector offset correctly for block devices with thesector size of 4 KB, which led to loss of data and metadata on these devices. A patchcorrecting this problem has been applied so the discard and FITRIM requests now work asexpected for the block devices with the 4 KB sector size.

BZ#956296The virtual file system (VFS) code had a race condition between the unlink and link system callsthat allowed creating hard links to deleted (unlinked) files. This could, under certaincircumstances, cause inode corruption that eventually resulted in a file system shutdown. Theproblem was observed in Red Hat Storage during rsync operations on replicated Glustervolumes that resulted in an XFS shutdown. A testing condition has been added to the VFS code,preventing hard links to deleted files from being created.

BZ#956979The sunrpc code paths that wake up an RPC task are highly optimized for speed so the codeavoids using any locking mechanism but requires precise operation ordering. Multiple bugswere found related to operation ordering, which resulted in a kernel crash involving either aBUG_ON() assertion or an incorrect use of a data structure in the sunrpc layer. Theseproblems have been fixed by properly ordering operations related to the RPC_TASK_QUEUEDand RPC_TASK_RUNNING bits in the wake-up code paths of the sunrpc layer.

BZ#958684A previous update introduced a new failure mode to the blk_get_request() function returning the-ENODEV error code when a block device queue is being destroyed. However, the change didnot include a NULL pointer check for all callers of the function. Consequently, the kernel coulddereference a NULL pointer when removing a block device from the system, which resulted in akernel panic. This update applies a patch that adds these missing NULL pointer checks. Also,some callers of the blk_get_request() function could previously return the -ENOMEM error codeinstead of -ENODEV, which would lead to incorrect call chain propagation. This update appliesa patch ensuring that correct return codes are propagated.

BZ#962368A rare race condition between the "devloss" timeout and discovery state machine could triggera bug in the lpfc driver that nested two levels of spin locks in reverse order. The reverse orderof spin locks led to a deadlock situation and the system became unresponsive. With thisupdate, a patch addressing the deadlock problem has been applied and the system no longerhangs in this situation.


193

BZ#962370When attempting to deploy a virtual machine on a hypervisor with multiple NICs and macvtapdevices, a kernel panic could occur. This happened because the macvtap driver did notgracefully handle a situation when the macvlan_port.vlans list was empty and returned a NULLpointer. This update applies a series of patches which fix this problem using a read-copy-update (RCU) mechanism and by preventing the driver from returning a NULL pointer if the listis empty. The kernel no longer panics in this scenario.

BZ#962372Certain CPUs contain on-chip virtual-machine control structure (VMCS) caches that are used tokeep active VMCSs managed by the KVM module. These VMCSs contain runtime information ofthe guest machines operated by KVM. These CPUs require support of the VMCLEARinstruction that allows flushing the cache's content into memory. The kernel previously did notuse the VMCLEAR instruction in Kdump. As a consequence, when dumping a core of the QEMUKVM host, the respective CPUs did not flush VMCSs to the memory and the guests' runtimeinformation was not included in the core dump. This problem has been addressed by a seriesof patches that implement support of using the VMCLEAR instruction in Kdump. The kernel isnow performs the VMCLEAR operation in Kdump if it is required by a CPU so the vmcore file ofthe QEMU KVM host contains all VMCSs information as expected.

BZ#963564When a network interface (NIC) is running in promiscuous (PROMISC) mode, the NIC mayreceive and process VLAN tagged frames even though no VLAN is attached to the NIC.However, some network drivers, such as bnx2, igb, tg3, and e1000e did not handle processingof packets with VLAN tagged frames in PROMISC mode correctly if the frames had no VLANgroup assigned. The drivers processed the packets with incorrect routines and variousproblems could occur; for example, a DHCPv6 server connected to a VLAN could assign an IPv6address from the VLAN pool to a NIC with no VLAN interface. To handle the VLAN taggedframes without a VLAN group properly, the frames have to be processed by the VLAN code sothe aforementioned drivers have been modified to restrain from performing a NULL value test ofthe packet's VLAN group field when the NIC is in PROMISC mode. This update also includes apatch fixing a bug where the bnx2x driver did not strip a VLAN header from the frame if no VLANwas configured on the NIC, and another patch that implements some register changes in orderto enable receiving and transmitting of VLAN packets on a NIC even if no VLAN is registeredwith the card.

BZ#964 04 6Due to a bug in the NFSv4 nfsd code, a NULL pointer could have been dereferenced when nfsdwas looking up a path to the NFSv4 recovery directory for the fsync operation, which resulted ina kernel panic. This update applies a patch that modifies the NFSv4 nfsd code to open a filedescriptor for fsync in the NFSv4 recovery directory instead of looking up the path. The kernelno longer panics in this situation.

BZ#9664 32When adding a virtual PCI device, such as virtio disk, virtio net, e1000 or rtl8139, to a KVMguest, the kacpid thread reprograms the hot plug parameters of all devices on the PCI bus towhich the new device is being added. When reprogramming the hot plug parameters of a VGAor QXL graphics device, the graphics device emulation requests flushing of the guest's shadowpage tables. Previously, if the guest had a huge and complex set of shadow page tables, the


194

flushing operation took a significant amount of time and the guest could appear to beunresponsive for several minutes. This resulted in exceeding the threshold of the "soft lockup"watchdog and the "BUG: soft lockup" events were logged by both, the guest and host kernel.This update applies a series of patches that deal with this problem. The KVM's MemoryManagement Unit (MMU) now avoids creating multiple page table roots in connection withprocessors that support Extended Page Tables (EPT). This prevents the guest's shadow pagetables from becoming too complex on machines with EPT support. MMU now also flushes onlylarge memory mappings, which alleviates the situation on machines where the processor doesnot support EPT. Additionally, a free memory accounting race that could prevent KVM MMU fromfreeing memory pages has been fixed.

BZ#968557A race condition could occur in the uhci-hcd kernel module if the IRQ line was shared with otherdevices. The race condition allowed the IRQ handler routine to be called before the datastructures were fully initialized, which caused the system to become unresponsive. This updateapplies a patch that fixes the problem by adding a test condition to the IRQ handler routine; ifthe data structure initialization is still in progress, the handler routine finishes immediately.

BZ#969306When setting up a bonding device, a certain flag was used to distinguish between TLB and ALBmodes. However, usage of this flag in ALB mode allowed enslaving NICs before the bond wasactivated. This resulted in enslaved NICs not having unique MAC addresses as required, andconsequent loss of "reply" packets sent to the slaves. This patch modifies the functionresponsible for the setup of the slave's MAC address so the flag is no longer needed todiscriminate ALB mode from TLB and the flag was removed. The described problem no longeroccur in this situation.

BZ#969326When booting the normal kernel on certain servers, such as HP ProLiant DL980 G7, someinterrupts may have been lost which resulted in the system being unresponsive or rarely evenin data loss. This happened because the kernel did not set correct destination mode during theboot; the kernel booted in "logical cluster mode" that is default while this system supported only"x2apic physical mode". This update applies a series of patches addressing the problem. Theunderlying APIC code has been modified so the x2apic probing code now checks the FixedACPI Description Table (FADT) and installs the x2apic "physical" driver as expected. Also, theAPIC code has been simplified and the code now uses probe routines to select destinationAPIC mode and install the correct APIC drivers.

BZ#972586A bug in the OProfile tool led to a NULL pointer dereference while unloading the OProfile kernelmodule, which resulted in a kernel panic. The problem was triggered if the kernel was runningwith the nolapic parameter set and OProfile was configured to use the NMI timer interrupt. Theproblem has been fixed by correctly setting the NMI timer when initializing OProfile.

BZ#973198Previously, when booting a Red Hat Enterprise Linux 6.4 system and the ACPI Static ResourceAffinity Table (SRAT) had a hot-pluggable bit enabled, the kernel considered the SRAT tableincorrect and NUMA was not configured. This led to a general protection fault and a kernelpanic occurring on the system. The problem has been fixed by using an SMBIOS check in thecode in order to avoid the SRAT code table consistency checks. NUMA is now configured as


195

expected and the kernel no longer panics in this situation.

BZ#973555A bug in the PCI driver allowed to use a pointer to the Virtual Function (VF) device entry thatwas already freed. Consequently, when hot-removing an I/O unit with enabled SR-IOV devices,a kernel panic occurred. This update modifies the PCI driver so a valid pointer to the PhysicalFunction (PF) device entry is used and the kernel no longer panics in this situation.

BZ#975086The kernel previously did not handle situation where the system needed to fall back from non-flat Advanced Programmable Interrupt Controller (APIC) mode to flat APIC mode. Consequently,a NULL pointer was dereferenced and a kernel panic occurred. This update adds theflat_probe() function to the APIC driver, which allows the kernel using flat APIC mode as a fall-back option. The kernel no longer panics in this situation.


6.103.3. RHSA-2013:0911 — Important: kernel security, bug fix and enhancementupdateUpdated kernel packages that fix several security issues and bugs and add one enhancement are nowavailable for Red Hat Enterprise Linux 6.



Security Fixes

CVE-2013-1935, ImportantA flaw was found in the way KVM (Kernel-based Virtual Machine) initialized a guest's registeredpv_eoi (paravirtualized end-of-interrupt) indication flag when entering the guest. An unprivilegedguest user could potentially use this flaw to crash the host.

CVE-2013-194 3, ImportantA missing sanity check was found in the kvm_set_memory_region() function in KVM, allowing auser-space process to register memory regions pointing to the kernel address space. A local,unprivileged user could use this flaw to escalate their privileges.

CVE-2013-2017, ModerateA double free flaw was found in the Linux kernel's Virtual Ethernet Tunnel driver (veth). Aremote attacker could possibly use this flaw to crash a target system.

Red Hat would like to thank IBM for reporting the CVE-2013-1935 issue and Atzm WATANABE ofStratosphere Inc. for reporting the CVE-2013-2017 issue. The CVE-2013-1943 issue was discovered byMichael S. Tsirkin of Red Hat.


196





Bug Fixes

BZ#923096Previously, the queue limits were not being retained as they should have been if a device didnot contain any data or if a multipath device temporarily lost all its paths. This problem has beenfixed by avoiding a call to the dm_calculate_queue_limits() function.

BZ#924 823A bug in the dm_btree_remove() function could cause leaf values to have incorrectreference counts. Removal of a shared block could result in space maps considering the blockas no longer used. As a consequence, sending a discard request to a shared region of a thindevice could corrupt its snapshot. The bug has been fixed to prevent corruption in thisscenario.

BZ#927292Prior to this update, if Large Receive Offload (LRO) was enabled, Broadcom, QLogic, and Intelcard drivers did not fill in all the packet fields. Consequently, when the macvtap driver receiveda packet with a gso_type field that was not set, a kernel panic occurred. With this update, the ixgbe, qlcnic, and bnx2x drivers have been fixed to always set the gso_type field. Thus,kernel panic no longer occurs in the previously-described scenario.

BZ#927294Reading a large number of files from a pNFS (parallel NFS) mount and canceling the runningoperation by pressing Ctrl+c caused a general protection fault in the XDR code, which couldmanifest itself as a kernel oops with an unable to handle kernel paging requestmessage. This happened because decoding of the LAYOUTGET operation is done by a workerthread and the caller waits for the worker thread to complete. When the reading operation wascanceled, the caller stopped waiting and freed the pages. So the pages no longer existed at thetime the worker thread called the relevant function in the XDR code. The cleanup process ofthese pages has been moved to a different place in the code, which prevents the kernel oopsfrom happening in this scenario.

BZ#9614 31By default, the kernel uses a best-fit algorithm for allocating Virtual Memory Areas (VMAs) tomap processed files to the address space. However, if an enormous number of small files(hundreds of thousands or millions) was being mapped, the address space became extremelyfragmented, which resulted in significant CPU usage and performance degradation. This updateintroduces an optional next-fit policy which, if enabled, allows for mapping of a file to the firstsuitable unused area in the address space that follows after the previously allocated VMA.

BZ#960864C-states for the Intel Family 6, Model 58 and 62, processors were not properly initialized in RedHat Enterprise Linux 6. Consequently, these processors were unable to enter deep C-states.Also, C-state accounting was not functioning properly and power management tools, such aspowertop or turbostat, thus displayed incorrect C-state transitions. This update applies a patchthat ensures proper C-states initialization so the aforementioned processors can now enterdeep core power states as expected. Note that this update does not correct C-state accountingwhich has been addressed by a separate patch.


197

BZ#9604 36If an NFSv4 client was checking open permissions for a delegated OPEN operation duringOPEN state recovery of an NFSv4 server, the NFSv4 state manager could enter a deadlock.This happened because the client was holding the NFSv4 sequence ID of the OPEN operation.This problem is resolved by releasing the sequence ID before the client starts checking openpermissions.

BZ#9604 29When using parallel NFS (pNFS), a kernel panic could occur when a process was killed whilegetting the file layout information during the open() system call. A patch has been applied toprevent this problem from occurring in this scenario.

BZ#9604 26In the RPC code, when a network socket backed up due to high network traffic, a timer was setcausing a retransmission, which in turn could cause even larger amount of network traffic to begenerated. To prevent this problem, the RPC code now waits for the socket to empty instead ofsetting the timer.

BZ#9604 20Previously, the fsync(2) system call incorrectly returned the EIO (Input/Output) error instead ofthe ENOSPC (No space left on device) error. This was caused by incorrect error handling in thepage cache. This problem has been fixed and the correct error value is now returned.

BZ#9604 17Previously, an NFS RPC task could enter a deadlock and become unresponsive if it was waitingfor an NFSv4 state serialization lock to become available and the session slot was held by theNFSv4 server. This update fixes this problem along with the possible race condition in thepNFS return-on-close code. The NFSv4 client has also been modified to not acceptingdelegated OPEN operations if a delegation recall is in effect. The client now also reports NFSv4servers that try to return a delegation when the client is using the CLAIM_DELEGATE_CURopen mode.

BZ#952613When pNFS code was in use, a file locking process could enter a deadlock while trying torecover form a server reboot. This update introduces a new locking mechanism that avoids thedeadlock situation in this scenario.

BZ#9604 12Previously, when open(2) system calls were processed, the GETATTR routine did not check tosee if valid attributes were also returned. As a result, the open() call succeeded with invalidattributes instead of failing in such a case. This update adds the missing check, and the open()call succeeds only when valid attributes are returned.

BZ#955504The be2iscsi driver previously leaked memory in the driver's control path when mappingtasks.This update fixes the memory leak by freeing all resources related to a task when thetask was completed. Also, the driver did not release a task after responding to the received


198

NOP-IN acknowledgment with a valid Target Transfer Tag (TTT). Consequently, the driver runout of tasks available for the session and no more iscsi commands could be issued. A patchhas been applied to fix this problem by releasing the task.

BZ#9604 15Due to a missing structure, the NFSv4 error handler did not handle exceptions caused byrevoking NFSv4 delegations. Consequently, the NFSv4 client received the EIO error messageinstead of the NFS4ERR_ADMIN_REVOKED error. This update modifies the NFSv4 code to nolonger require the nfs4_state structure in order to revoke a delegation.

BZ#954 298Under rare circumstances, if a TCP retransmission was multiple times partially acknowledgedand collapsed, the used Socked Buffer (SKB) could become corrupted due to an overflowcaused by the transmission headroom. This resulted in a kernel panic. The problem wasobserved rarely when using an IP-over-InfiniBand (IPoIB) connection. This update applies apatch that verifies whether a transmission headroom exceeded the maximum size of the usedSKB, and if so, the headroom is reallocated. It was also discovered that a TCP stack couldretransmit misaligned SKBs if a malicious peer acknowledged sub MSS frame and outputinterface did not have a sequence generator (SG) enabled. This update introduces a newfunction that allows for copying of a SKB with a new head so the SKB remains aligned in thissituation.

BZ#921964In a case of a broken or malicious server, an index node (inode) of an incorrect type could bematched. This led to an NFS client NULL pointer dereference, and, consequently, to a kerneloops. To prevent this problem from occurring in this scenario, a check has been added to verifythat the inode type is correct.

BZ#9624 82When using more than 4 GB of RAM with an AMD processor, reserved regions and memoryholes (E820 regions) can also be placed above the 4 GB range. For example, on configurationswith more than 1 TB of RAM, AMD processors reserve the 1012 GB - 1024 GB range for theHyper Transport (HT) feature. However, the Linux kernel does not correctly handle E820regions that are located above the 4 GB range. Therefore, when installing Red Hat EnterpriseLinux on a machine with an AMD processor and 1 TB of RAM, a kernel panic occurred and theinstallation failed. This update modifies the kernel to exclude E820 regions located above the 4GB range from direct mapping. The kernel also no longer maps the whole memory on boot butonly finds memory ranges that are necessary to be mapped. The system can now besuccessfully installed on the above-described configuration.

BZ#950529This update reverts two previously-included qla2xxx patches. These patches changed thefibre channel target port discovery procedure, which resulted in some ports not beingdiscovered in some corner cases. Reverting these two patches fixes the discovery issues.

BZ#928817A previously-applied patch introduced a bug in the ipoib_cm_destroy_tx() function, whichallowed a CM object to be moved between lists without any supported locking. Under a heavysystem load, this could cause the system to crash. With this update, proper locking of the CM


199

objects has been re-introduced to fix the race condition, and the system no longer crashesunder a heavy load.

BZ#928683A bug in the do_filp_open() function caused it to exit early if any write access wasrequested on a read-only file system. This prevented the opening of device nodes on a read-only file system. With this update, the do_filp_open() has been fixed to no longer exit if awrite request is made on a read-only file system.

BZ#9604 33An NFSv4 client could previously enter a deadlock situation with the state recovery threadduring state recovery after a reboot of an NFSv4 server. This happened because the client didnot release the NFSv4 sequence ID of an OPEN operation that was requested before thereboot. This problem is resolved by releasing the sequence ID before the client starts waitingfor the server to recover.

Enhancement

BZ#952570The kernel now supports memory configurations with more than 1 TB of RAM on AMD systems.

Users should upgrade to these updated packages, which contain backported patches to correct theseissues and add this enhancement. The system must be rebooted for this update to take effect.

6.103.4. RHSA-2013:0744 — Important: kernel security and bug fix updateUpdated kernel packages that fix several security issues and several bugs are now available for RedHat Enterprise Linux 6.



Security Fixes

CVE-2013-0913, ImportantAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the Inteli915 driver in the Linux kernel handled the allocation of the buffer used for relocation copies. Alocal user with console access could use this flaw to cause a denial of service or escalate theirprivileges.

CVE-2013-1773, ImportantA buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in theutf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local userable to mount a FAT file system with the "utf8=1" option could use this flaw to crash the systemor, potentially, to escalate their privileges.


200




CVE-2013-1796, ImportantA flaw was found in the way KVM handled guest time updates when the buffer the guestregistered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed apage boundary. A privileged guest user could use this flaw to crash the host or, potentially,escalate their privileges, allowing them to execute arbitrary code at the host kernel level.

CVE-2013-1797, ImportantA potential use-after-free flaw was found in the way KVM handled guest time updates when theGPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIMEmachine state register (MSR) fell into a movable or removable memory region of the hostinguser-space process (by default, QEMU-KVM) on the host. If that memory region is deregisteredfrom KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused,a privileged guest user could potentially use this flaw to escalate their privileges on the host.

CVE-2013-1798, ImportantA flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable InterruptController). A missing validation check in the ioapic_read_indirect() function could allow aprivileged guest user to crash the host, or read a substantial portion of host kernel memory.

CVE-2013-1792, ModerateA race condition in install_user_keyrings(), leading to a NULL pointer dereference, was found inthe key management facility. A local, unprivileged user could use this flaw to cause a denial ofservice.

CVE-2013-1826, ModerateA NULL pointer dereference in the XFRM implementation could allow a local user who has theCAP_NET_ADMIN capability to cause a denial of service.

CVE-2013-1827, ModerateA NULL pointer dereference in the Datagram Congestion Control Protocol (DCCP)implementation could allow a local user to cause a denial of service.

CVE-2012-6537, LowInformation leak flaws in the XFRM implementation could allow a local user who has theCAP_NET_ADMIN capability to leak kernel stack memory to user-space.

CVE-2012-654 6, LowTwo information leak flaws in the Asynchronous Transfer Mode (ATM) subsystem could allow alocal, unprivileged user to leak kernel stack memory to user-space.

CVE-2012-654 7, LowAn information leak was found in the TUN/TAP device driver in the networking implementation. Alocal user with access to a TUN/TAP virtual interface could use this flaw to leak kernel stackmemory to user-space.

CVE-2013-034 9, Low


201











An information leak in the Bluetooth implementation could allow a local user who has theCAP_NET_ADMIN capability to leak kernel stack memory to user-space.

CVE-2013-1767, LowA use-after-free flaw was found in the tmpfs implementation. A local user able to mount andunmount a tmpfs file system could use this flaw to cause a denial of service or, potentially,escalate their privileges.

CVE-2013-1774 , LowA NULL pointer dereference was found in the Linux kernel's USB Inside Out Edgeport SerialDriver implementation. An attacker with physical access to a system could use this flaw tocause a denial of service.

Red Hat would like to thank Andrew Honig of Google for reporting CVE-2013-1796, CVE-2013-1797, andCVE-2013-1798. CVE-2013-1792 was discovered by Mateusz Guzik of Red Hat EMEA GSS SEG Team.

Bug Fixes

BZ#909156When running the Hyper-V hypervisor, the host expects guest virtual machines to report freememory and the memory used for memory ballooning, including the pages that were balloonedout. However, the memory ballooning code did not handle reporting correctly, and the pages thatwere ballooned out were not included in the report. Consequently, after the memory wasballooned out from the guest, the Hyper-V Manager reported an incorrect value of thedemanded memory and a memory status. This update provides a patch that adjusts thememory ballooning code to include the ballooned-out pages and to determine the demandedmemory correctly.

BZ#911267The Intel 5520 and 5500 chipsets do not properly handle remapping of MSI and MSI-Xinterrupts. If the interrupt remapping feature is enabled on the system with such a chipset,various problems and service disruption could occur (for example, a NIC could stop receivingframes), and the "kernel: do_IRQ: 7.71 No irq handler for vector (irq -1)" error message appearsin the system logs. As a workaround to this problem, it has been recommended to disable theinterrupt remapping feature in the BIOS on such systems, and many vendors have updatedtheir BIOS to disable interrupt remapping by default. However, the problem is still being reportedby users without proper BIOS level with this feature properly turned off. Therefore, this updatemodifies the kernel to check if the interrupt remapping feature is enabled on these systems andto provide users with a warning message advising them on turning off the feature and updatingthe BIOS.

BZ#9114 75If a logical volume was created on devices with thin provisioning enabled, the mkfs.ext4command took a long time to complete, and the following message was recorded in the systemlog:

kernel: blk: request botched

This was caused by discard request merging that was not completely functional in the block


202



and SCSI layers. This functionality has been temporarily disabled to prevent such problemsfrom occurring.

BZ#915579Timeout errors could occur on an NFS client with heavy read workloads; for example whenusing the rsync and ldconfig utilities. Both, client-side and server-side causes were found forthe problem. On the client side, problems that could prevent the client reconnecting lost TCPconnections; this was fixed prior to this update. On the server side, TCP memory pressure onthe server forced the send buffer size to be lower than the size required to send a singleRemote Procedure Call (RPC), which consequently caused the server to be unable to reply tothe client. A series of patches addressing the server-side problem has been applied. Thisupdate provides the last of those patches that removes the redundant xprt->shutdown bit fieldfrom the sunrpc code. Setting this bit field could lead to a race causing the aforementionedproblem. T imeout errors no longer occur on NFS clients that are under heavy read workload.

BZ#915583Previously, running commands such as "ls", "find" or "move" on a MultiVersion File System(MVFS) could cause a kernel panic. This happened because the d_validate() function, which isused for dentry validation, called the kmem_ptr_validate() function to validate a pointer to aparent dentry. The pointer could have been freed anytime so the kmem_ptr_validate() functioncould not guarantee the pointer to be dereferenced, which could lead to a NULL pointerderefence. This update modifies d_validate() to verify the parent-child relationship by traversingthe parent dentry's list of child dentries, which solves this problem. The kernel no longer panicsin the described scenario.

BZ#916957A previous patch introduced the use of the page_descs length field to describe the size of afuse request. That patch incorrectly handled a code path that does not exist in the upstreamfuse code, which resulted in a data corruption when using loop devices over FUSE. This patchfixes this problem by setting the fuse request size before submitting the request.

BZ#917690When the state of the netfilter module was out-of-sync, a TCP connection was recorded in theconntrack table although the TCP connection did not exist between two hosts. If a host re-established this connection with the same source, port, destination port, source address anddestination address, the host sent a TCP SYN packet and the peer sent back acknowledgmentfor this SYN package. However, because netfilter was out-of-sync, netfilter dropped thisacknowledgment, and deleted the connection item from the conntrack table, which consequentlycaused the host to retransmit the SYN packet. A patch has been applied to improve thishandling; if an unexpected SYN packet appears, the TCP options are annotated.Acknowledgment for the SYN packet serves as a confirmation of the connection tracking beingout-of-sync, then a new connection record is created using the information annotated previouslyto avoid the retransmission delay.

BZ#920266The NFS code implements the "silly rename" operation to handle an open file that is held by aprocess while another process attempts to remove it. The "silly rename" operation worksaccording to the "delete on last close" semantics so the inode of the file is not released untilthe last process that opens the file closes it. A previous update of the NFS code broke themechanics that prevented an NFS client from deleting a silly-renamed dentry. This affected the


203

"delete on last close" semantics and silly-renamed files could be deleted by any process whilethe files were open for I/O by another process. As a consequence, the process reading the filefailed with the "ESTALE" error code. This update modifies the way how the NFS code handlesdentries of silly-renamed files and silly-renamed files can not be deleted until the last processthat has the file open for I/O closes it.

BZ#920268The NFSv4 code uses byte range locks to simulate the flock() function, which is used to applyor remove an exclusive advisory lock on an open file. However, using the NFSv4 byte rangelocks precludes a possibility to open a file with read-only permissions and subsequently toapply an exclusive advisory lock on the file. A previous patch broke a mechanism used to verifythe mode of the open file. As a consequence, the system became unresponsive and the systemlogs filled with a "kernel: nfs4_reclaim_open_state: Lock reclaim failed!" error message if the filewas open with read-only permissions and an attempt to apply an exclusive advisory lock wasmade. This update modifies the NFSv4 code to check the mode of the open file beforeattempting to apply the exclusive advisory lock. The "-EBADF" error code is returned if the typeof the lock does not match the file mode.

BZ#92114 5Due to a bug in the tty driver, an ioctl call could return the "-EINTR" error code when the "read"command was interrupted by a signal, such as SIGCHLD. As a consequence, thesubsequent"read" command caused the Bash shell to abort with a "double free or corruption(out)" error message. An applied patch corrects the tty driver to use the "-ERESTARTSYS"error code so the system call is restarted if needed. Bash no longer crashes in this scenario.

BZ#921150Previously, the NFS Lock Manager (NLM) did not resend blocking lock requests after NFSv3server reboot recovery. As a consequence, when an application was running on a NFSv3 mountand requested a blocking lock, the application received an -ENOLCK error. This patch ensuresthat NLM always resend blocking lock requests after the grace period has expired.

BZ#921535Virtual LAN (VLAN) support of the eHEA ethernet adapter did not work as expected. A "deviceethX has buggy VLAN hw accel" message could have been reported when running the "dmesg"command. This was because a backported upstream patch removed the vlan_rx_register()function. This update adds the function back, and eHEA VLAN support works as expected. Thisupdate also addresses a possible kernel panic, which could occur due to a NULL pointerdereference when processing received VLAN packets. The patch adds a test condition verifyingwhether a VLAN group is set by the network stack, which prevents a possible NULL pointer tobe dereferenced, and the kernel no longer crashes in this situation.

BZ#921958When the Active Item List (AIL) becomes empty, the xfsaild daemon is moved to a task sleepstate that depends on the timeout value returned by the xfsaild_push() function. The latestchanges modified xfsaild_push() to return a 10-ms value when the AIL is empty, which setsxfsaild into the uninterruptible sleep state (D state) and artificially increased system loadaverage. This update applies a patch that fixes this problem by setting the timeout value to theallowed maximum, 50 ms. This moves xfsaild to the interruptible sleep state (S state), avoidingthe impact on load average.


204

BZ#921961When running a high thread workload of small-sized files on an XFS file system, sometimes, thesystem could become unresponsive or a kernel panic could occur. This occurred because thexfsaild daemon had a subtle code path that led to lock recursion on the xfsaild lock when abuffer in the AIL was already locked and an attempt was made to force the log to unlock it. Thispatch removes the dangerous code path and queues the log force to be invoked from a safelocking context with respect to xfsaild. This patch also fixes the race condition between bufferlocking and buffer pinned state that exposed the original problem by rechecking the state of thebuffer after a lock failure. The system no longer hangs and the kernel no longer panics in thisscenario.

BZ#921963The kernel's implementation of RTAS (RunTime Abstraction Services) previously allowed thestop_topology_update() function to be called from an interrupt context during live partitionmigration on PowerPC and IMB System p machines. As a consequence, the system becameunresponsive. This update fixes the problem by calling stop_topology_update() earlier in themigration process, and the system no longer hangs in this situation.

BZ#922154A previous kernel update broke queue pair (qp) hash list deletion in the qp_remove() function.This could cause a general protection fault in the InfiniBand stack or QLogic InfiniBand driver. Apatch has been applied to restore the former behavior so the general protection fault no longeroccurs.

BZ#923098Due to a bug in the CIFS mount code, it was not possible to mount Distributed File System(DFS) shares in Red Hat Enterprise Linux 6.4. This update applies a series of patches thataddress this problem and modifies the CIFS mount code so that DFS shares can now bemounted as expected.

BZ#923204When the Red Hat Enterprise Linux 6 kernel runs as a virtual machine, it performs boot-timedetection of the hypervisor in order to enable hypervisor-specific optimizations. Red HatEnterprise Linux 6.4 introduces detection and optimization for the Microsoft Hyper-V hypervisor.Previously Hyper-V was detected first, however, because some Xen hypervisors can attempt toemulate Hyper-V, this could lead to a boot failure when that emulation was not exact. A patchhas been applied to ensure that the attempt to detect Xen is always done before Hyper-V,resolving this issue.

BZ#927309When using the congestion window lock functionality of the ip utility, the system could becomeunresponsive. This happened because the tcp_slow_start() function could enter an infinite loopif the congestion window was locked using route metrics. A set of patches has been applied tocomply with the upstream kernel, ensuring the problem no longer occurs in this scenario.

BZ#928686Previously, the tty driver allowed a race condition to occur in the tty buffer code. If the tty bufferwas requested by multiple users of the same tty device in the same time frame, the same tty's


205

buffer structure was used and the buffer could exceed the reserved size. This resulted in abuffer overflow problem and a subsequent memory corruption issue, which caused the kernel topanic. This update fixes the problem by implementing a locking mechanism around the tty bufferstructure using spin locks. The described race can no longer occur so the kernel can no longercrash due to a tty buffer overflow.


6.103.5. RHSA-2013:0630 — Important: kernel security and bug fix updateUpdated kernel packages that fix two security issues and several bugs are now available for Red HatEnterprise Linux 6.



Security Fixes

CVE-2013-0228, ImportantA flaw was found in the way the xen_iret() function in the Linux kernel used the DS (the CPU'sData Segment) register. A local, unprivileged user in a 32-bit para-virtualized guest could usethis flaw to crash the guest or, potentially, escalate their privileges.

CVE-2013-0268, ImportantA flaw was found in the way file permission checks for the "/dev/cpu/[x]/msr" files wereperformed in restricted root environments (for example, using a capability-based securitymodel). A local user with the ability to write to these files could use this flaw to escalate theirprivileges to kernel level, for example, by writing to the SYSENTER_EIP_MSR register.

The CVE-2013-0228 issue was discovered by Andrew Jones of Red Hat.

Bug Fixes

BZ#908398Truncating files on a GFS2 file system could fail with an "unable to handle kernel NULL pointerdereference" error. This was because of a missing reservation structure that caused thetruncate code to reference an incorrect pointer. To prevent this, a patch has been applied toallocate a block reservation structure before truncating a file.

BZ#908733Previously, when using parallel network file system (pNFS) and data was written to theappropriate storage device, the LAYOUTCOMMIT requests being sent to the metadata servercould fail internally. The metadata server was not provided with the modified layout based onthe written data, and these changes were not visible to the NFS client. This happened becausethe encoding functions for the LAYOUTCOMMIT and LAYOUTRETURN operations weredefined as void, and returned thus an arbitrary status. This update corrects these encodingfunctions to return 0 on success as expected. The changes on the storage device are now


206




propagated to the metadata server and can be observed as expected.

BZ#908737Previously, init scripts were unable to set the MAC address of the master interface properlybecause it was overwritten by the first slave MAC address. To avoid this problem, this updatere-introduces the check for an unassigned MAC address before setting the MAC address of thefirst slave interface as the MAC address of the master interface.

BZ#908739During device discovery, the system creates a temporary SCSI device with the LUN ID 0 if theLUN 0 is not mapped on the system. Previously, this led to a NULL pointer dereference becauseinquiry data was not allocated for the temporary LUN 0 device, which resulted in a kernel panic.This update adds a NULL pointer test in the underlying SCSI code, and the kernel no longerpanics in this scenario.

BZ#90874 4Previously on system boot, devices with associated Reserved Memory Region Reporting(RMRR) information had lost their RMRR information after they were removed from the staticidentity (SI) domain. Consequently, a system unexpectedly terminated in an endless loop due tounexpected NMIs triggered by DMA errors. This problem was observed on HP ProLiantGeneration 7 (G7) and 8 (G8) systems. This update prevents non-USB devices that haveRMRR information associated with them from being placed into the SI domain during systemboot. HP ProLiant G7 and G8 systems that contain devices with the RMRR information now bootas expected.

BZ#908794When counting CPU time, the utime and stime values are scaled based on rtime. Prior to thisupdate, the utime value was multiplied with the rtime value, but the integer multiplication overflowcould happen, and the resulting value could be then truncated to 64 bits. As a consequence,utime values visible in the user space were stall even if an application consumed a lot of CPUtime. With this update, the multiplication is performed on stime instead of utime. Thissignificantly reduces the chances of an overflow on most workloads because the stime value,unlike the utime value, cannot grow fast.

BZ#909159When using transparent proxy (TProxy) over IPv6, the kernel previously created neighborentries for local interfaces and peers that were not reachable directly. This update corrects thisproblem and the kernel no longer creates invalid neighbor entries.

BZ#909813Due to a bug in the superblock code, a NULL pointer could be dereferenced when handling akernel paging request. Consequently, the request failed and a kernel oops occurred. Thisupdate corrects this problem and kernel page requests are processed as expected.

BZ#909814Sometimes, the irqbalance tool could not get the CPU NUMA node information due to missingsymlinks for CPU devices in sysfs. This update adds the NUMA node symlinks for CPU devicesin sysfs, which is also useful when using irqbalance to build a CPU topology.


207

BZ#909815A previous kernel patch introduced a bug by assigning a different value to the IFLA_EXT_MASKNetlink attribute than found in the upstream kernels. This could have caused various problems;for example, a binary compiled against the upstream kernel headers could have failed orbehaved unexpectedly on Red Hat Enterprise Linux 6.4 and later kernels. This update realignsIFLA_EXT_MASK in the enumeration correctly by synchronizing the IFLA_* enumeration with theupstream. This ensures that binaries compiled against Red Hat Enterprise Linux 6.4 kernelheaders will function as expected. Backwards compatibility is guaranteed.

BZ#909816Broadcom 5719 NIC could previously sometimes drop received jumbo frame packets due tocyclic redundancy check (CRC) errors. This update modifies the tg3 driver so that CRC errorsno longer occur and Broadcom 5719 NICs process jumbo frame packets as expected.

BZ#909818Previously, the VLAN code incorrectly cleared the timestamping interrupt bit for network devicesusing the igb driver. Consequently, timestamping failed on the igb network devices withPrecision T ime Protocol (PTP) support. This update modifies the igb driver to preserve theinterrupt bit if interrupts are disabled.

BZ#910370The NFSv4.1 client could stop responding while recovering from a server reboot on an NFSv4.1or pNFS mount with delegations disabled. This could happen due to insufficient locking in theNFS code and several related bugs in the NFS and RPC scheduler code which could trigger adeadlock situation. This update applies a series of patches which prevent possible deadlocksituations from occurring. The NFSv4.1 client now recovers and continue with workload asexpected in the described situation.

BZ#910373Previously, race conditions could sometimes occur in interrupt handling on the EmulexBladeEngine 2 (BE2) controllers, causing the network adapter to become unresponsive. Thisupdate provides a series of patches for the be2net driver, which prevents the race fromoccurring. The network cards using BE2 chipsets no longer hang due to incorrectly handledinterrupt events.

BZ#910998A previous patch to the mlx4 driver enabled an internal loopback to allow communicationbetween functions on the same host. However, this change introduced a regression thatcaused virtual switch (vSwitch) bridge devices using Mellanox Ethernet adapter as the uplink tobecome inoperative in native (non-SRIOV) mode under certain circumstances. To fix thisproblem, the destination MAC address is written to Tx descriptors of transmitted packets only inSRIOV or eSwitch mode, or during the device self-test. Uplink traffic works as expected in thedescribed setup.

BZ#911000Previously, the kernel did not support a storage discard granularity that was not a power of two.Consequently, if the underlying storage reported such a granularity, the kernel issued discard


208

requests incorrectly, which resulted in I/O errors. This update modifies the kernel to correctcalculation of the storage discard granularity and the kernel now process discard requestscorrectly even for storage devices with the discard granularity that is not power of two.

BZ#911655Previously, a kernel panic could occur on machines using the SCSI sd driver with Data IntegrityField (DIF) type 2 protection. This was because the scsi_register_driver() function registered aprep_fn() function that might have needed to use the sd_cdp_pool variable for the DIFfunctionality. However, the variable had not yet been initialized at this point. The underlyingcode has been updated so that the driver is registered last, which prevents a kernel panic fromoccurring in this scenario.

BZ#911663Previously, the mlx4 driver set the number of requested MSI-X vectors to 2 under multi-functionmode on mlx4 cards. However, the default setting of the mlx4 firmware allows for a highernumber of requested MSI-X vectors (4 of them with the current firmware). This update modifiesthe mlx4 driver so that it uses these default firmware settings, which improves performance ofmlx4 cards.

All users should upgrade to these updated packages, which contain backported patches to correctthese issues and fix the bugs. The system must be rebooted for this update to take effect.

6.103.6. RHSA-2013:0496 — Important: Red Hat Enterprise Linux 6 kernelsecurity, bug fix, and enhancement updateUpdated kernel packages that fix two security issues, address several hundred bugs and add numerousenhancements are now available as part of the ongoing support and maintenance of Red Hat EnterpriseLinux version 6. This is the fourth regular update.

The Red Hat Security Response Team has rated this update as having moderate security impact.Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, areavailable for each vulnerability from the CVE links associated with each description below.


Security Fixes

CVE-2012-4 508, ImportantA race condition was found in the way asynchronous I/O and fallocate() interacted when usingthe ext4 file system. A local, unprivileged user could use this flaw to expose random data froman extent whose data blocks have not yet been written, and thus contain data from a deletedfile.

CVE-2013-0311, ImportantA flaw was found in the way the vhost kernel module handled descriptors that spanned multipleregions. A privileged guest user in a KVM guest could use this flaw to crash the host or,potentially, escalate their privileges on the host.

CVE-2012-4 54 2, ModerateIt was found that the default SCSI command filter does not accommodate commands that


209





overlap across device classes. A privileged guest user could potentially use this flaw to writearbitrary data to a LUN that is passed-through as read-only.

CVE-2013-0190, ModerateA flaw was found in the way the xen_failsafe_callback() function in the Linux kernel handled thefailed iret (interrupt return) instruction notification from the Xen hypervisor. An unprivileged userin a 32-bit para-virtualized guest could use this flaw to crash the guest.

CVE-2013-0309, ModerateA flaw was found in the way pmd_present() interacted with PROT_NONE memory ranges whentransparent hugepages were in use. A local, unprivileged user could use this flaw to crash thesystem.

CVE-2013-0310, ModerateA flaw was found in the way CIPSO (Common IP Security Option) IP options were validatedwhen set from user mode. A local user able to set CIPSO IP options on the socket could usethis flaw to crash the system.

Red Hat would like to thank Theodore Ts'o for reporting CVE-2012-4508, and Andrew Cooper of Citrixfor reporting CVE-2013-0190. Upstream acknowledges Dmitry Monakhov as the original reporter ofCVE-2012-4508. The CVE-2012-4542 issue was discovered by Paolo Bonzini of Red Hat.

Bug Fixes

BZ#807385Suspending a system (mode S3) running on a HP Z1 All-in-one Workstation with an internalEmbedded DisplayPort (eDP) panel and an external DisplayPort (DP) monitor, and,consequently, waking up the system caused the backlight of the eDP panel to not be re-enabled. To fix this issue, the code that handles suspending in the i915 module has beenmodified to write the BLC_PWM_CPU_CTL parameter using the I915_WRITE function afterwriting the BLC_PWM_CPU_CTL2 parameter.

BZ#891839Prior to this update, when a VLAN device was set up on a qlge interface, running the TCPStream Performance test using the netperf utility to test TCP/IPv6 traffic caused the kernel toproduce warning messages that impacted the overall performance. This was due to anunsupported feature (NETIF_F_IPV6_CSUM) which was enabled via the NETIF_F_TSO6 flag.This update removes the NETIF_F_TSO6 flag from qlge code and TCP/IPv6 traffic performanceis no longer impacted.

BZ#876912The isci driver copied the result of a "Register Device to Host" frame into the wrong buffercausing the SATA DOWNLOAD MICROCODE command to fail, preventing the download of harddrive firmware. This bug in the frame handler routine caused a timeout, resulting in a reset. Withthis update, the underlying source code has been modified to address this issue, and the iscidriver successfully completes SATA DOWNLOAD MICROCODE commands as expected.

BZ#813677


210




In the xHCI code, due to a descriptor that incorrectly pointed at the USB 3.0 register instead ofUSB 2.0 registers, kernel panic could occur when more USB 2.0 registers were available thanUSB 3.0 registers. This update fixes the descriptor to point at the USB 2.0 registers, and kernelpanic no longer occurs in the aforementioned case.

BZ#879509When the "perf script --gen-script" command was called with a perf.data file which contained notracepoint events, the command terminated unexpectedly with a segmentation fault due to aNULL "pevent" pointer. With this update, the underlying source code has been modified toaddress this issue, and the aforementioned command no longer crashes.

BZ#885030Running the mq_notify/5-1 test case from the Open POSIX test suite resulted in corruptedmemory, later followed by various kernel crash/BUG messages. This update addresses themq_send/receive memory corruption issue in the inter-process communication code, and theaforementioned test case no longer fails.

BZ#84 1983Bond masters and slaves now have separate VLAN groups. As such, if a slave device incurreda network event that resulted in a failover, the VLAN device could process this eventerroneously. With this update, when a VLAN is attached to a master device, it ignores eventsgenerated by slave devices so that the VLANs do not go down until the bond master does.

BZ#83674 8Previously in the kernel, when the leap second hrtimer was started, it was possible that thekernel livelocked on the xtime_lock variable. This update fixes the problem by using a mixture ofseparate subsystem locks (timekeeping and ntp) and removing the xtime_lock variable, thusavoiding the livelock scenarios that could occur in the kernel.

BZ#836803After the leap second was inserted, applications calling system calls that used futexesconsumed almost 100% of available CPU time. This occurred because the kernel's timekeepingstructure update did not properly update these futexes. The futexes repeatedly expired, re-armed, and then expired immediately again. This update fixes the problem by properly updatingthe futex expiration times by calling the clock_was_set_delayed() function, an interrupt-safemethod of the clock_was_set() function.

BZ#822691When the Fibre Channel (FC) layer sets a device to "running", the layer also scans for othernew devices. Previously, there was a race condition between these two operations.Consequently, for certain targets, thousands of invalid devices were created by the SCSI layerand the udev service. This update ensures that the FC layer always sets a device to "online"before scanning for others, thus fixing this bug.

BZ#84 5135Certain disk device arrays report a medium error without returning any data. This was not beinghandled correctly in cases where low level device drivers were not setting the optional residualfield, however, most modern low level drivers do set it. This update correctly handles cases


211



where low level drivers do not set the residual field in the upper level sd driver, avoiding thepotential data corruption.

BZ#8904 54This update reverts a previously-applied patch that caused the qla2xxx driver to not be able toload on an IBM POWER 7 7895-81X system. This patch has also been isolated as the cause ofDynamic Logical Partitioning (DLPAR) memory remove failures on 2 adapters.

BZ#84 114 9Previous update changed the /proc/stat code to use the get_cpu_idle_time_us() andget_cpu_iowait_time_us() macros if dynamic ticks are enabled in the kernel. This could lead toproblems on IBM System z architecture that defines the arch_idle_time() macro. For example,executing the "vmstat" command could fail with "Floating point exception" followed by a coredump. The underlying source code has been modified so that the arch_idle_time() macro isused for idle and iowait times, which prevents the mentioned problem.

BZ#809792The Stream Control Transmission Protocol (SCTP) process became unresponsive inside thesctp_wait_for_sndbuf() function when the sender exhausted the send buffer and waitedindefinitely to be woken up. This was because twice the amount of data was accounted forduring a packet transmission, once when constructing the packet and the second time whentransmitting it. Thus, the available memory resources were used up too early, causing adeadlock. With this update, only a single byte is reserved to ensure the socket stays alive forthe life time of the packet, and the SCTP process no longer hangs.

BZ#85284 7If there are no active threads using a semaphore, blocked threads should be unblocked.Previously, the R/W semaphore code looked for a semaphore counter as a whole to reach zero- which is incorrect because at least one thread is usually queued on the semaphore and thecounter is marked to reflect this. As a consequence, the system could become unresponsivewhen an application used direct I/O on the XFS file system. With this update, only the count ofactive semaphores is checked, thus preventing the hang in this scenario.

BZ#861164When performing PCI device assignment on AMD systems, a virtual machine using theassigned device could not be able to boot, as the device had failed the assignment, leaving thedevice in an unusable state. This was due to an improper range check that omitted the last PCIdevice in a PCI subsystem or tree. The check has been fixed to include the full range of PCIdevices in a PCI subsystem or tree. This bug fix avoids boot failures of a virtual machine whenthe last device in a PCI subsystem is assigned to a virtual machine on an AMD host system.

BZ#859533The mlx4 driver must program the mlx4 card so that it is able to resolve which MAC addressesto listen to, including multicast addresses. Therefore, the mlx4 card keeps a list of trusted MACaddresses. The driver used to perform updates to this list on the card by emptying the entirelist and then programming in all of the addresses. Thus, whenever a user added or removed amulticast address or put the card into or out of promiscuous mode, the card's entire address listwas re-written. This introduced a race condition, which resulted in a packet loss if a packetcame in on an address the card should be listening to, but had not yet been reprogrammed to


212

listen to. With this update, the driver no longer rewrites the entire list of trusted MAC addresseson the card but maintains a list of addresses that are currently programmed into the card. Onaddress addition, only the new address is added to the end of the list, and on removal, only theto-be-removed address is removed from the list. The mlx4 card no longer experiences thedescribed race condition and packets are no longer dropped in this scenario.

BZ#858850Filesystem in Userspace (FUSE) did not implement scatter-gather direct I/O optimally.Consequently, the kernel had to process an extensive number of FUSE requests, which had anegative impact on system performance. This update applies a set of patches which improvesinternal request management for other features, such as readahead. FUSE direct I/O overheadhas been significantly reduced to minimize negative effects on system performance.

BZ#865637A previous kernel update introduced a bug that caused RAID0 and linear arrays larger than 4TB to be truncated to 4 TB when using 0.90 metadata. The underlying source code has beenmodified so that 0.90 RAID0 and linear arrays larger than 4 TB are no longer truncated in themd RAID layer.

BZ#865682A larger command descriptor block (CDB) is allocated for devices using Data Integrity Field(DIF) type 2 protection. The CDB was being freed in the sd_done() function, which resulted in akernel panic if the command had to be retried in certain error recovery cases. With this update,the larger CDB is now freed in the sd_unprep_fn() function instead. This prevents the kernelpanic from occurring.

BZ#857518Previously, a use-after-free bug in the usbhid code caused a NULL pointer dereference.Consequent kernel memory corruption resulted in a kernel panic and could cause data loss.This update adds a NULL check to avoid these problems.

BZ#856325A race condition could occur between page table sharing and virtual memory area (VMA)teardown. As a consequence, multiple "bad pmd" message warnings were displayed and"kernel BUG at mm/filemap.c:129" was reported while shutting down applications that sharememory segments backed by huge pages. With this update, the VM_MAYSHARE flag isexplicitly cleaned during the unmap_hugepage_range() call under the i_mmap_lock. This makesVMA ineligible for sharing and avoids the race condition. After using shared segments backedby huge pages, applications like databases and caches shut down correctly, with no crash.

BZ#855984When I/O is issued through blk_execute_rq(), the blk_execute_rq_nowait() routine is called toperform various tasks. At first, the routine checks for a dead queue. Previously, however, if adead queue was detected, the blk_execute_rq_nowait() function did not invoke the done()callback function. This resulted in blk_execute_rq() being unresponsive when waiting forcompletion, which had never been issued. To avoid such hangs, the rq->end_io pointer isinitialized to the done() callback before the queue state is verified.


213


BZ#855759The Stream Control Transmission Protocol (SCTP) ipv6 source address selection logic did nottake the preferred source address into consideration. With this update, the source address ischosen from the routing table by taking this aspect into consideration. This brings the SCTPsource address selection on par with IPv4.

BZ#855139Under certain circumstances, a system crash could result in data loss on XFS file systems. Iffiles were created immediately before the file system was left to idle for a long period of timeand then the system crashed, those files could appear as zero-length once the file system wasremounted. This occurred even if a sync or fsync was run on the files. This was because XFSwas not correctly idling the journal, and therefore it incorrectly replayed the inode allocationtransactions upon mounting after the system crash, which zeroed the file size. This problemhas been fixed by re-instating the periodic journal idling logic to ensure that all metadata isflushed within 30 seconds of modification, and the journal is updated to prevent incorrectrecovery operations from occurring.

BZ#854 376Mellanox hardware keeps a separate list of Ethernet hardware addresses it listens todepending on whether the Ethernet hardware address is unicast or multicast. Previously, themlx4 driver was incorrectly adding multicast addresses to the unicast list. This caused unstablebehavior in terms of whether or not the hardware would have actually listened to the addressesrequested. This update fixes the problem by always putting multicast addresses on themulticast list and vice versa.

BZ#854 14 0Previously, the kernel had no way to distinguish between a device I/O failure due to a transportproblem and a failure as a result of command timeout expiration. I/O errors always resulted in adevice being set offline and the device had to be brought online manually even though the I/Ofailure occured due to a transport problem. With this update, the SCSI driver has been modifiedand a new SDEV_TRANSPORT_OFFLINE state has been added to help distinguish transportproblems from another I/O failure causes. Transport errors are now handled differently andstorage devices can now recover from these failures without user intervention.

BZ#854 053In a previous release of Red Hat Enterprise Linux, the new Mellanox packet steeringarchitecture had been intentionally left out of the Red Hat kernel. With Red Hat Enterprise Linux6.4, the new Mellanox packet steering architecture was merged into Red Hat Mellanox driver.One merge detail was missing, and as a result, the multicast promiscuous flag on an interfacewas not checked during an interface reset to see if the flag was on prior to the reset and shouldbe re-enabled after the reset. This update fixes the problem, so if an adapter is reset and themulticast promiscuous flag was set prior to the reset, the flag is now still set after the reset.

BZ#854 052On dual port Mellanox hardware, the mlx4 driver was adding promiscuous mode to the correctport, but when attempting to remove promiscuous mode from a port, it always tried to remove itfrom port one. It was therefore impossible to remove promiscuous mode from the second port,and promiscuous mode was incorrectly removed from port one even if it was not intended. Withthis update, the driver now properly attempts to remove promiscuous mode from port two when


214

needed.

BZ#853007The kernel provided by the Red Hat Enterprise Linux 6.3 release included an unintentionalkernel ABI (kABI) breakage with regards to the "contig_page_data" symbol. Unfortunately, thisbreakage did not cause the checksums to change. As a result, drivers using this symbol couldsilently corrupt memory on the kernel. This update reverts the previous behavior.

BZ#85214 8In case of a regular CPU hot plug event, the kernel does not keep the original cpusetconfiguration and can reallocate running tasks to active CPUs. Previously, the kernel treatedswitching between suspend and resume modes as a regular CPU hot plug event, which couldhave a significant negative impact on system performance in certain environments such as SMPKVM virtualization. When resuming an SMP KVM guest from suspend mode, the libvirtd daemonand all its child processes were pinned to a single CPU (the boot CPU) so that all VMs usedonly the single CPU. This update applies a set of patches which ensure that the kernel doesnot modify cpusets during suspend and resume operations. The system is now resumed in theexact state before suspending without any performance decrease.

BZ#851118Prior to this update, it was not possible to set IPv6 source addresses in routes as it waspossible with IPv4. With this update, users can select the preferred source address for aspecific IPv6 route with the "src" option of the "ip -6 route" command.

BZ#84 9702Previously, when a server attempted to shut down a socket, the svc_tcp_sendto() function setthe XPT_CLOSE variable if the entire reply failed to be transmitted. However, beforeXPT_CLOSE could be acted upon, other threads could send further replies before the socketwas really shut down. Consequently, data corruption could occur in the RPC record marker.With this update, send operations on a closed socket are stopped immediately, thus preventingthis bug.

BZ#84 9188The usb_device_read() routine used the bus->root_hub pointer to determine whether or not theroot hub was registered. However, this test was invalid because the pointer was set before theroot hub was registered and remained set even after the root hub was unregistered anddeallocated. As a result, the usb_device_read() routine accessed freed memory, causing akernel panic; for example, on USB device removal. With this update, the hcs->rh_registered flag- which is set and cleared at the appropriate times - is used in the test, and the kernel panic nolonger occurs in this scenario.

BZ#894 34 4BE family hardware could falsely indicate an unrecoverable error (UE) on certain platforms andstop further access to be2net-based network interface cards (NICs). A patch has been appliedto disable the code that stops further access to hardware for BE family network interface cards(NICs). For a real UE, it is not necessary as the corresponding hardware block is not accessiblein this situation.


215

BZ#84 7838Previously, a race condition existed whereby device open could race with device removal (forexample when hot-removing a storage device), potentially leading to a kernel panic. This wasdue a use-after-free error in the block device open patch, which has been corrected by notreferencing the "disk" pointer after it has been passed to the module_put() function.

BZ#869750The hugetlbfs file system implementation was missing a proper lock protection of enqueuedhuge pages at the gather_surplus_pages() function. Consequently, thehstate.hugepages_freelist list became corrupted, which caused a kernel panic. This updateadjusts the code so that the used spinlock protection now assures atomicity and safety ofenqueued huge pages when handling hstate.hugepages_freelist. The kernel no longer panicsin this scenario.

BZ#84 7310An unnecessary check for the RXCW.CW bit could cause the Intel e1000e NIC (NetworkInterface Controller) to not work properly. The check has been removed so that the Intele1000e NIC now works as expected.

BZ#84 6585If a mirror or redirection action is configured to cause packets to go to another device, theclassifier holds a reference count. However, it was previously assuming that the administratorcleaned up all redirections before removing. Packets were therefore dropped if the mirroreddevice was not present, and connectivity to the host could be lost. To prevent such problems, anotifier and cleanup are now run during the unregister action. Packets are not dropped if the amirrored device is not present.

BZ#84 64 19Previously, the MultiTech MT9234MU USB serial device was not supported by version 0.9 ofthe it_usb_3410_5052 kernel module. With this update, the MultiTech MT9234MU USB serialdevice is supported by this version.

BZ#84 6024Previously, the I/O watchdog feature was disabled when Intel Enhanced Host ControllerInterface (EHCI) devices were detected. This could cause incorrect detection of USB devicesupon addition or removal. Also, in some cases, even though such devices were detectedproperly, they were non-functional. The I/O watchdog feature can now be enabled on the kernelcommand line, which improves hardware detection on underlying systems.

BZ#84 534 7A kernel panic could occur when using the be2net driver. This was because the Bottom Half(BF) was enabled even if the Interrupt ReQuest (IRQ) was already disabled. With this update,the BF is disabled in callers of the be_process_mcc() function and the kernel no longer crashesin this scenario. Note that, in certain cases, it is possible to experience the network card beingunresponsive after installing this update. A future update will correct this problem.

BZ#84 4 814This issue affects O_DSYNC performance on GFS2 when only data (and not metadata such as


216


file size) has been dirtied as the result of a write system call. Prior to this patch, O_DSYNCwrites were behaving in the same way as O_SYNC for all cases. After this patch, O_DSYNCwrites will only write back data, if the inode's metadata is not dirty. This gives a considerableperformance improvement for this specific case. Note that the issue does not affect dataintegrity. The same issue also applies to the pairing of write and fdatasync calls.

BZ#84 4 531Previously, a cgroup or its hierarchy could only be modified under the cgroup_mutex masterlock. This introduced a locking dependency on cred_guard_mutex from cgroup_mutex andcompleted a circular dependency, which involved cgroup_mutex, namespace_sem andworkqueue, and led to a deadlock. As a consequence, many processes were unresponsive,and the system could be eventually unusable. This update introduces a new mutex,cgroup_root_mutex, which protects cgroup root modifications and is now used by mount optionsreaders instead of the master lock. This breaks the circular dependency and avoids thedeadlock.

BZ#84 3771On architectures with the 64-bit cputime_t type, it was possible to trigger the "divide by zero"error, namely, on long-lived processes. A patch has been applied to address this problem, andthe "divide by zero" error no longer occurs under these circumstances.

BZ#84 354 1The kernel allows high priority real time tasks, such as tasks scheduled with the SCHED_FIFOpolicy, to be throttled. Previously, the CPU stop tasks were scheduled as high priority real timetasks and could be thus throttled accordingly. However, the replenishment timer, which isresponsible for clearing a throttle flag on tasks, could be pending on the just disabled CPU.This could lead to a situation that the throttled tasks were never scheduled to run.Consequently, if any of such tasks was needed to complete the CPU disabling, the systembecame unresponsive. This update introduces a new scheduler class, which gives a task thehighest possible system priority and such a task cannot be throttled. The stop-task schedulingclass is now used for the CPU stop tasks, and the system shutdown completes as expected inthe scenario described.

BZ#84 3163The previous implementation of socket buffers (SKBs) allocation for a NIC was node-aware,that is, memory was allocated on the node closest to the NIC. This increased performance ofthe system because all DMA transfer was handled locally. This was a good solution fornetworks with a lower frame transmitting rate where CPUs of the local node handled all thetraffic of the single NIC well. However, when using 10Gb Ethernet devices, CPUs of one nodeusually do not handle all the traffic of a single NIC efficiently enough. Therefore, systemperformance was poor even though the DMA transfer was handled by the node local to the NIC.This update modifies the kernel to allow SKBs to be allocated on a node that runs applicationsreceiving the traffic. This ensures that the NIC's traffic is handled by as many CPUs as needed,and since SKBs are accessed very frequently after allocation, the kernel can now operate muchmore efficiently even though the DMA can be transferred cross-node.

BZ#872813Bug 768304 introduced a deadlock on the super block umount mutex. Consequently, when twoprocesses attempted to mount an NFS file system at the same time they would block. This wasbecause a backport mistake with one of the patches of bug 768304, which resulted in an


217

imbalance between the mutex aquires and releases. Rather than just fix the imbalance, anupstream patch that the problem patch depended on was identified and backported so that thekernel code then matched the upstream code. The deadlock no longer occurs in this scenario.

BZ#84 2881A kernel oops could occur due to a NULL pointer dereference upon USB device removal. TheNULL pointer dereference has been fixed and the kernel no longer crashes in this scenario.

BZ#84 24 35When an NFSv4 client received a read delegation, a race between the OPEN andDELEGRETURN operation could occur. If the DELEGRETURN operation was processed first,the NFSv4 client treated the delegation returned by the following OPEN as a new delegation.Also, the NFSv4 client did not correctly handle errors caused by requests that used a bad orrevoked delegation state ID. As a result, applications running on the client could receivespurious EIO errors. This update applies a series of patches that fix the NFSv4 code so anNFSv4 client recovers correctly in the described situations instead of returning errors toapplications.

BZ#84 2312Due to a missing return statement, the nfs_attr_use_mounted_on_file() function returned awrong value. As a consequence, redundant ESTALE errors could potentially be returned. Thisupdate adds the proper return statement to nfs_attr_use_mounted_on_file(), thus preventingthis bug. Note that this bug only affects NFSv4 file systems.

BZ#84 1987Previously, soft interrupt requests (IRQs) under the bond_alb_xmit() function were locked evenwhen the function contained soft IRQs that were disabled. This could cause a system tobecome unresponsive or terminate unexpectedly. With this update, such IRQs are no longerdisabled, and the system no longer hangs or crashes in this scenario.

BZ#87394 9Previously, the IP over Infiniband (IPoIB) driver maintained state information about neighbors onthe network by attaching it to the core network's neighbor structure. However, due to a racecondition between the freeing of the core network neighbor struct and the freeing of the IPoIBnetwork struct, a use after free condition could happen, resulting in either a kernel oops or 4 or8 bytes of kernel memory being zeroed when it was not supposed to be. These patchesdecouple the IPoIB neighbor struct from the core networking stack's neighbor struct so thatthere is no race between the freeing of one and the freeing of the other.

BZ#874 322Previously, XFS could, under certain circumstances, incorrectly read metadata from the journalduring XFS log recovery. As a consequence, XFS log recovery terminated with an errormessage and prevented the file system from being mounted. This problem could result in a lossof data if the user forcibly "zeroed" the log to allow the file system to be mounted. This updateensures that metadata is read correctly from the log so that journal recovery completessuccessfully and the file system mounts as expected.

BZ#74 8827


218




If a dirty GFS2 inode was being deleted but was in use by another node, its metadata was notwritten out before GFS2 checked for dirty buffers in the gfs2_ail_flush() function. GFS2 wasrelying on the inode_go_sync() function to write out the metadata when the other node tried tofree the file. However, this never happened because GFS2 failed the error check. With thisupdate, the inode is written out before calling the gfs2_ail_flush() function. If a process has thePF_MEMALLOC flag set, it does not start a new transaction to update the access time when itwrites out the inode. The inode is marked as dirty to make sure that the access time is updatedlater unless the inode is being freed.

BZ#839973A USB Human Interface Device (HID) can be disconnected at any time. If this happened rightbefore or while the hiddev_ioctl() call was in progress, hiddev_ioctl() attempted to access theinvalid hiddev->hid pointer. When the HID device was disconnected, the hiddev_disconnect()function called the hid_device_release() function, which frees the hid_device structure type, butdid not set the hiddev->hid pointer to NULL. If the deallocated memory region was re-used bythe kernel, a kernel panic or memory corruption could occur. The hiddev->exist flag is nowchecked while holding the existancelock and hid_device is used only if such a device exists. Asa result, the kernel no longer crashes in this scenario.

BZ#839311The CONFIG_CFG80211_WEXT configuration option previously defined in the KConfig of theipw2200 driver was removed with a recent update. This led to a build failure of the driver. Thedriver no longer depends on the CONFIG_CFG80211_WEXT option, so it can buildsuccessfully.

BZ#875036The mmap_rnd() function is expected to return a value in the [0x00000000 .. 0x000FF000]range on 32-bit x86 systems. This behavior is used to randomize the base load address ofshared libraries by a bug fix resolving the CVE-2012-1568 issue. However, due to asignedness bug, the mmap_rnd() function could return values outside of the intended scope.Consequently, the shared libraries base address could be less than one megabyte. This couldcause binaries that use the MAP_FIXED mappings in the first megabyte of the process addressspace (typically, programs using vm86 functionality) to work incorrectly. This update modifiesthe mmap_rnd() function to no longer cast values returned by the get_random_int() function tothe long data type. The aforementioned binaries now work correctly in this scenario.

BZ#837607Due to an error in the dm-mirror driver, when using LVM mirrors on disks with discard support(typically SSD disks), repairing such disks caused the system to terminate unexpectedly. Theerror in the driver has been fixed and repairing disks with discard support is now successful.

BZ#837230During the update of the be2net driver between the Red Hat Enterprise Linux 6.1 and 6.2, theNETIF_F_GRO flag was incorrectly removed, and the GRO (Generic Receive Offload) featurewas therefore disabled by default. In OpenVZ kernels based on Red Hat Enterprise Linux 6.2,this led to a significant traffic decrease. To prevent this problem, the NETIF_F_GRO flag hasbeen included in the underlying source code.

BZ#875091


219

Previously, the HP Smart Array driver (hpsa) used the target reset functionality. However, HPSmart Array logical drives do not support the target reset functionality. Therefore, if the targetreset failed, the logical drive was taken offline with a file system error. The hpsa driver hasbeen updated to use the LUN reset functionality instead of target reset, which is supported bythese drives.

BZ#765665A possible race between the n_tty_read() and reset_buffer_flags() functions could result in aNULL pointer dereference in the n_tty_read() function under certain circumstances. As aconsequence, a kernel panic could have been triggered when interrupting a current task on aserial console. This update modifies the tty driver to use a spin lock to prevent functions from aparallel access to variables. A NULL pointer dereference causing a kernel panic can no longeroccur in this scenario.

BZ#76904 5Traffic to the NFS server could trigger a kernel oops in the svc_tcp_clear_pages() function. Thesource code has been modified, and the kernel oops no longer occurs in this scenario.

BZ#836164Previously, reference counting was imbalanced in the slave add and remove paths for bonding.If a network interface controller (NIC) did not support the NETIF_F_HW_VLAN_FILTER flag, thebond_add_vlans_on_slave() and bond_del_vlans_on_slave() functions did not work properly,which could lead to a kernel panic if the VLAN module was removed while running. Theunderlying source code for adding and removing a slave and a VLAN has been revised andnow also contains a common path, so that kernel crashes no kernel no longer occur in thedescribed scenario.

BZ#834 764The bonding method for adding VLAN Identifiers (VIDs) did not always add the VID to a slaveVLAN group. When the NETIF_F_HW_VLAN_FILTER flag was not set on a slave, the bondingmodule could not add new VIDs to it. This could cause networking problems and the system tobe unreachable even if NIC messages did not indicate any problems. This update changes thebond VID add path to always add a new VID to the slaves (if the VID does not exist). Thisensures that networking problems no longer occur in this scenario.

BZ#783322Previously, after a crash, preparing to switch to the kdump kernel could in rare cases race withIRQ migration, causing a deadlock of the ioapic_lock variable. As a consequence, kdumpbecame unresponsive. The race condition has been fixed, and switching to kdump no longercauses hangs in this scenario.

BZ#834 038Previously, futex operations on read-only (RO) memory maps did not work correctly. This brokeworkloads that had one or more reader processes performing the FUTEX_WAIT operation on afutex within a read-only shared file mapping and a writer process that had a writable mappingperforming the FUTEX_WAKE operation. With this update, the FUTEX_WAKE operation isperformed with a RO MAP_PRIVATE mapping, and is successfully awaken if another processupdates the region of the underlying mapped file.


220

BZ#833098When a device was registered to a bus, a race condition could occur between the device beingadded to the list of devices of the bus and binding the device to a driver. As a result, the devicecould already be bound to a driver which led to a warning and incorrect reference counting, andconsequently to a kernel panic on device removal. To avoid the race condition, this update addsa check to identify an already bound device.

BZ#832135Sometimes, the crypto allocation code could become unresponsive for 60 seconds or multiplesthereof due to an incorrect notification mechanism. This could cause applications, likeopenswan, to become unresponsive. The notification mechanism has been improved to avoidsuch hangs.

BZ#832009When a device is added to the system at runtime, the AMD IOMMU driver initializes thenecessary data structures to handle translation for it. Previously, however, the per-devicedma_ops structure types were not changed to point to the AMD IOMMU driver, so mapping wasnot performed and direct memory access (DMA) ended with the IO_PAGE_FAULT message.This consequently led to networking problems. With this update, the structure types pointcorrectly to the AMD IOMMU driver, and networking works as expected when the AMD IOMMUdriver is used.

BZ#830716It is possible to receive data on multiple transports. Previously, however, data could beselectively acknowledged (SACKed) on a transport that had never received any data. This wasagainst the SHOULD requirement in section 6.4 of the RFC 2960 standard. To comply with thisstandard, bundling of SACK operations is restricted to only those transports which have movedthe ctsn of the association forward since the last sack. As a result, only outbound SACKs on atransport that has received a chunk since the last SACK are bundled.

BZ#830209On ext4 file systems, when fallocate() failed to allocate blocks due to the ENOSPC condition (nospace left on device) for a file larger than 4 GB, the size of the file became corrupted and,consequently, caused file system corruption. This was due to a missing cast operator in the"ext4_fallocate()" function. With this update, the underlying source code has been modified toaddress this issue, and file system corruption no longer occurs.

BZ#829739Previously, on Fibre Channel hosts using the QLogic QLA2xxx driver, users could encountererror messages and long I/O outages during fabric faults. This was because the number ofoutstanding requests was hard-coded. With this update, the number of outstanding requeststhe driver keeps track of is based on the available resources instead of being hard-coded,which avoids the aforementioned problems.

BZ#829211Previously introduced firmware files required for new Realtek chipsets contained an invalidprefix ("rtl_nic_") in the file names, for example "/lib/firmware/rtl_nic/rtl_nic_rtl8168d-1.fw". Thisupdate corrects these file names. For example, the aforementioned file is now correctly named


221

"/lib/firmware/rtl_nic/rtl8168d-1.fw".

BZ#82914 9Due to insufficient handling of a dead Input/Output Controller (IOC), the mpt2sas driver could failEnhanced I/O Error Handling (EEH) recovery for certain PCI bus failures on 64-bit IBM PowerPCmachines. With this update, when a dead IOC is detected, EEH recovery routine has more timeto resolve the failure and the controller in a non-operational state is removed.

BZ#828271USB Request Blocks (URBs) coming from user space were not allowed to have transfer bufferslarger than an arbitrary maximum. This could lead to various problems; for example, attemptingto redirect certain USB mass-storage devices could fail. To avoid such problems, programs arenow allowed to submit URBs of any size; if there is not sufficient contiguous memory available,the submission fails with an ENOMEM error. In addition, to prevent programs from submitting alot of small URBs and so using all the DMA-able kernel memory, this update also replaces theold limits on individual transfer buffers with a single global limit of 16MB on the total amount ofmemory in use by USB file system (usbfs).

BZ#828065A race condition could occur due to incorrect locking scheme in the code for software RAID.Consequently, this could cause the mkfs utility to become unresponsive when creating an ext4file system on software RAID5. This update introduces a locking scheme in the handle_stripe()function, which ensures that the race condition no longer occurs.

BZ#826375Previously, using the e1000e driver could lead to a kernel panic. This was caused by a NULLpointer dereference that occurred if the adapter was being closed and reset simultaneously.The source code of the driver has been modified to address this problem, and kernel no longercrashes in this scenario.

BZ#878204When a new rpc_task is created, the code takes a reference to rpc_cred and sets the task->tk_cred pointer to it. After the call completes, the resources held by the rpc_task are freed.Previously, however, after the rpc_cred was released, the pointer to it was not zeroed out. Thisled to an rpc_cred reference count underflow, and consequently to a kernel panic. With thisupdate, the pointer to rpc_cred is correctly zeroed out, which prevents a kernel panic fromoccurring in this scenario.

BZ#823822When removing a bonding module, the bonding driver uses code separate from the net deviceoperations to clean up the VLAN code. Recent changes to the kernel introduced a bug whichcaused a kernel panic if the vlan module was removed after the bonding module had beenremoved. To fix this problem, the VLAN group removal operations found in the bonding kill_vidpath are now duplicated in alternate paths which are used when removing a bonding module.

BZ#823371When TCP segment offloading (TSO) or jumbo packets are used on the Broadcom BCM5719network interface controller (NIC) with multiple TX rings, small packets can be starved for


222

resources by the simple round-robin hardware scheduling of these TX rings, thus causinglower network performance. To ensure reasonable network performance for all NICs, multipleTX rings are now disabled by default.

BZ#822651Previously, the default minimum entitled capacity of a virtual processor was 10%. This updatechanges the PowerPC architecture vector to support a lower minimum virtual processorcapacity of 1%.

BZ#821374On PowerPC architecture, the "top" utility displayed incorrect values for the CPU idle time,delays and workload. This was caused by a previous update that used jiffies for the I/O waitand idle time, but the change did not take into account that jiffies and CPU time are representedby different units. These differences are now taken into account, and the "top" utility displayscorrect values on PowerPC architecture.

BZ#818172A bug in the writeback livelock avoidance scheme could result in some dirty data not beingwritten to disk during a sync operation. In particular, this could occasionally occur at unmounttime, when previously written file data was not synced, and was unavailable after the file systemwas remounted. Patches have been applied to address this issue, and all dirty file data is nowsynced to disk at unmount time.

BZ#807704Previously, the TCP socket bound to NFS server contained a stale skb_hints socket buffer.Consequently, kernel could terminate unexpectedly. A patch has been provided to address thisissue and skb_hints is now properly cleared from the socket, thus preventing this bug.

BZ#814 877Previously, bnx2x devices did not disable links with a large number of RX errors and overruns,and such links could still be detected as active. This prevented the bonding driver from failingover to a working link. This update restores remote-fault detection, which periodically checks forremote faults on the MAC layer. In case the physical link appears to be up but an error occurs,the link is disabled. Once the error is cleared, the link is brought up again.

BZ#813137Various race conditions that led to indefinite log reservation hangs due to xfsaild "idle" modeoccurred in XFS file system. This could lead to certain tasks being unresponsive; for example,the cp utility could become unresponsive on heavy workload. This update improves the ActiveItem List (AIL) pushing logic in xfsaild. Also, the log reservation algorithm and interactions withxfsaild have been improved. As a result, the aforementioned problems no longer occur in thisscenario.

BZ#811255The Out of Memory (OOM) killer killed processes outside of a memory cgroup when one ormore processes inside that memory cgroup exceeded the "memory.limit_in_bytes" value. Thiswas because when a copy-on-write fault happened on a Transparent Huge Page (THP), the 2MB THP caused the cgroup to exceed the memory.limit_in_bytes value but the individual 4 KB


223


page was not exceeded. With this update, the 2 MB THP is correctly split into 4 KB pages whenthe memory.limit_in_bytes value is exceeded. The OOM kill is delivered within the memorycgroup; tasks outside the memory cgroups are no longer killed by the OOM killer.

BZ#812904This update blacklists the ADMA428M revision of the 2GB ATA Flash Disk device. This is dueto data corruption occurring on the said device when the Ultra-DMA 66 transfer mode is used.When the "libata.force=5:pio0,6:pio0" kernel parameter is set, the aforementioned device worksas expected.

BZ#814 04 4With certain switch peers and firmware, excessive link flaps could occur due to the way DCBX(Data Center Bridging Exchange) was handled. To prevent link flaps, changes were made toexamine the capabilities in more detail and only initialize hardware if the capabilities havechanged.

BZ#865115If an abort request times out to the virtual Fibre Channel adapter, the ibmvfc driver initiates areset of the adapter. Previously, however, the ibmvfc driver incorrectly returned success to theeh_abort handler and then sent a response to the same command, which led to a kernel oopson IBM System p machines. This update ensures that both the abort request and the requestbeing aborted are completed prior to exiting the en_abort handler, and the kernel oops nolonger occurs in this scenario.

BZ#855906A kernel panic occurred when the size of a block device was changed and an I/O operation wasissued at the same time. This was because the direct and non-direct I/O code was written withthe assumption that the block size would not change. This update introduces a new read-writelock, bd_block_size_semaphore. The lock is taken for read during I/O operations and for writewhen changing the block size of a device. As a result, block size cannot be changed while I/O isbeing submitted. This prevents the kernel from crashing in the described scenario.

BZ#88364 3The bonding driver previously did not honor the maximum Generic Segmentation Offload (GSO)length of packets and segments requested by the underlying network interface. This causedthe firmware of the underlying NIC, such as be2net, to become unresponsive. This updatemodifies the bonding driver to set up the lowest gso_max_size and gso_max_segs values ofnetwork devices while attaching and detaching the devices as slaves. The network drivers nolonger hangs and network traffic now proceeds as expected in setups using a bondinginterface.

BZ#855131In Fibre Channel fabrics with large zones, the automatic port rescan on incoming Extended LinkService (ELS) frames and any adapter recovery could cause high traffic, in particular if manyLinux instances shared a host bus adapter (HBA), which is common on IBM System zarchitecture. This could lead to various failures; for example, names server requests, port oradapter recovery could fail. With this update, ports are re-scanned only when setting an adapteronline or on manual user-triggered writes to the sysfs attribute "port_rescan".


224

BZ#824 964A deadlock sometimes occurred between the dlm_controld daemon closing a lowcommsconnection through the configfs file system and the dlm_send process looking up the addressfor a new connection in configfs. With this update, the node addresses are saved within thelowcomms code so that the lowcomms work queue does not need to use configfs to get a nodeaddress.

BZ#827031On Intel systems with Pause Loop Exiting (PLE), or AMD systems with Pause Filtering (PF), itwas possible for larger multi-CPU KVM guests to experience slowdowns and soft lock-ups. Dueto a boundary condition in kvm_vcpu_on_spin, all the VCPUs could try to yield to VCPU0,causing contention on the run queue lock of the physical CPU where the guest's VCPU0 isrunning. This update eliminates the boundary condition in kvm_vcpu_on_spin.

BZ#796352On Red Hat Enterprise Linux 6, mounting an NFS export from a Windows 2012 server failed dueto the fact that the Windows server contains support for the minor version 1 (v4.1) of the NFSversion 4 protocol only, along with support for versions 2 and 3. The lack of the minor version 0(v4.0) support caused Red Hat Enterprise Linux 6 clients to fail instead of rolling back toversion 3 as expected. This update fixes this bug and mounting an NFS export works asexpected.

BZ#832575Previously, the size of the multicast IGMP (Internet Group Management Protocol) snoopinghash table for a bridge was limited to 256 entries even though the maximum is 512. This wasdue to the hash table size being incorrectly compared to the maximum hash table size,hash_max, and the following message could have been produced by the kernel:

Multicast hash table maximum reached, disabling snooping: vnet1, 512

With this update, the hash table value is correctly compared to the hash_max value, and theerror message no longer occurs under these circumstances.

BZ#834 185The xmit packet size was previously 64K, exceeding the hardware capability of the be2net cardbecause the size did not account for the Ethernet header. The adapter was therefore unable toprocess xmit requests exceeding this size, produced error messages and could becomeunresponsive. To prevent these problems, GSO (Generic Segmentation Offload) maximum sizehas been reduced to account for the Ethernet header.

BZ#835797Signed-unsigned values comparison could under certain circumstances lead to a superfluousreshed_task() routine to be called, causing several unnecessary cycles in the scheduler. Thisproblem has been fixed, preventing the unnecessary cycles in the scheduler.

BZ#838025When using virtualization with the netconsole module configured over the main system bridge,guests could not be added to the bridge, because TAP interfaces did not support netpoll. This


225



update adds support of netpoll to the TUN/TAP interfaces so that bridge devices invirtualization setups can use netconsole.

BZ#83864 0In the ext4 file system, splitting an unwritten extent while using Direct I/O could fail to mark themodified extent as dirty, resulting in multiple extents claiming to map the same block. This couldlead to the kernel or fsck reporting errors due to multiply claimed blocks being detected incertain inodes. In the ext4_split_unwritten_extents() function used for Direct I/O, the bufferwhich contains the modified extent is now properly marked as dirty in all cases. Errors due tomultiply claimed blocks in inodes should no longer occur for applications using Direct I/O.

BZ#839266When the netconsole module was configured over bridge and the "service network restart"command was executed, a deadlock could occur, resulting in a kernel panic. This was causedby recursive rtnl locking by both bridge and netconsole code during network interfaceunregistration. With this update, the rtnl lock usage is fixed, and the kernel no longer crashes inthis scenario.

BZ#75604 4Migrating virtual machines from Intel hosts that supported the VMX "Unrestricted Guest" featureto older hosts without this feature could result in kvm returning the "unhandled exit 80000021"error for guests in real mode. The underlying source code has been modified so that migrationcompletes successfully on hosts where "Unrestricted Guest" is disabled or not supported.

BZ#84 384 9The kernel contains a rule to blacklist direct memory access (DMA) modes for "2GB ATA FlashDisk" devices. However, this device ID string did not contain a space at the beginning of thename. Due to this, the rule failed to match the device and failed to disable DMA modes. With thisupdate, the string correctly reads " 2GB ATA Flash Disk", and the rule can be matched asexpected.

Enhancements

Note

For more information on the most important of the Red Hat Enterprise Linux 6.4 kernelenhancements, refer to the Kernel chapter in the Red Hat Enterprise Linux 6.4 Release Notes orChapter 2, Device Drivers.For a summary of added or updated procfs entries, sysfs default values, boot parameters,kernel configuration options, or any noticeable behavior changes, refer to Chapter 1, ImportantChanges to External Kernel Parameters.

BZ#872799The INET socket interface has been modified to send a warning message when the ip_optionsstructure is allocated directly by a third-party module using the kmalloc() function.

BZ#823010


226


https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Release_Notes/kernel.html


The z90crypt device driver has been updated to support the new Crypto Express 4 (CEX4)adapter card.

BZ#586028This update adds the ability to use InfiniBand's Queue Pair (QP) interface under KVM. The QPinterface can be exported to a KVM guest.

BZ#795598With this update, it possible to adjust the TCP initial receive window, using the "initrwnd" iproutesetting, on a per-route basis.

BZ#831623A new "route_localnet" interface option has been added, which enables routing of addresseswithin the 127.0.0.0/8 block.

BZ#84 7998With this update, a warning message is logged when a storage device reports a certain SCSIUnit Attention code.

Users should upgrade to these updated packages, which contain backported patches to correct theseissues, fix these bugs, and add these enhancement. The system must be rebooted for this update totake effect.

6.104. kexec-tools

6.104.1. RHBA-2013:0281 — kexec-tools bug fix and enhancement updateUpdated kexec-tools packages that fix multiple bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The kexec fastboot mechanism allows booting a Linux kernel from the context of an already runningkernel. The kexec-tools package provides the /sbin/kexec binary and ancillary utilities that form theuser-space component of the kernel's kexec feature.

Bug Fixes

BZ#628610When starting the kdump service, kdump always verifies the following vendor model attributeson the present block devices: "/sys/block/vda/device/model", "/sys/block/vda/device/rev" and"/sys/block/vda/device/type". However, the virtio block devices do not provide these attributes tosysfs so if such a device was tested, the following error messages were displayed:

cat: /sys/block/vda/device/model: No such file or directorycat: /sys/block/vda/device/type: No such file or directory

This update modifies the underlying code to restrain kdump from printing these error messagesif a block device does not provide the aforementioned sysfs attributes.


227


BZ#770000Previously, if memory ballooning was enabled in the first kernel, the virtio balloon driver wasincluded in the kdump kernel, which led to extensive memory consumption. Consequently,kdump failed due to an out of memory (OOM) error and the vmcore file could not be saved. Withthis update, the virtio_balloon kernel module is no longer loaded in the second kernel so that anOOM failure no longer prevents kdump from capturing vmcore.

BZ#788253Previously, the microde.ko module was included and loaded in the kdump kernel, however,related firmware was not included in the kdump initrd. As a consequence, the kdump kernelwaited for 60-second timeout to expire before loading the next module. This update modifieskdump to exclude the microcode driver from the second kernel so that the kdump kernel nolonger waits unnecessarily and loads kernel modules as expected.

BZ#813354The kdump.conf(5) man page previously did not document what file system types are supportedby kdump. The user could therefore attempt to specify an unsupported file-system-type option,such as "auto", in the kdump.conf file. This would result in a failure to start the kdump servicewhile the user expected success. With this update, all supported file system types are clearlylisted in the kdump.conf(5) man page.

BZ#8164 67When configuring kdump to dump a core file to a remote target over SSH without requiring apassword, the "service kdump propagate" command has to be executed to generate andpropagate SSH keys to the target system. This action required SELinux to be switched fromenforcing mode to permissive mode and back. Previously, kdump init script used an incorrecttest condition to determine SELinux mode so that SELinux mode could not be switched asrequired. Consequently, if SELinux was in enforcing mode, SSH keys could not be generatedand kdump failed to start. This update removes the code used to switch between permissiveand enforcing modes, which is no longer required because with Red Hat Enterprise Linux 6.3SELinux added a policy allowing applications to access the ssh-keygen utility to generate SSHkeys. SSH keys can now be generated and propagated as expected, and kdump no longer failsto start in this scenario.

BZ#81864 5When dumping a core file on IBM System z architecture using the line mode terminals, kdumpdisplays its progress on these terminals. However, these terminals do not support cursorpositioning so that formatting of the kdump output was incorrect and the output was hard toread. With this update, a new environment variable, TERM, has been introduced to correct thisproblem. If "TERM=dumb" is set, the makedumpfile utility produces an easily-readable output onthe line mode terminals.

BZ#8204 74Previously, kdump expected that the generic ATA driver was always loaded as theata_generic.ko kernel module and the mkdumprd utility thus added the module explicitly.However, the ata_generic.ko module does not exist on the IBM System z architecture and thisassumption caused the kdump service to fail to start if the SCSI device was specified as adump target on these machines. With this update, mkdumprd has been modified to load theata_generic module only when required by the specific hardware. The kdump service now


228



starts as expected on IBM System z architecture with SCSI device specified as a dump target.

BZ#821376Previously, kdump always called the hwclock command to set the correct time zone. However,the Real T ime Clock (RTC) interface, which is required by hwclock, is not available on IBMSystem z architecture. Therefore, running kdump on these machines resulted in the followingerror messages being emitted:

hwclock: can't open '/dev/misc/rtc': No such file or directory

With this update, kdump has been modified to no longer call the hwclock command whenrunning on IBM System z, and the aforementioned error messages no longer occur.

BZ#82564 0When dumping a core file to a remote target using SSH, kdump sends random seeds from the/dev/mem device to the /dev/random device to generate sufficient entropy required to establishsuccessful SSH connection. However, when dumping a core file on the IBM System z with theCONFIG_STRICT_DEVMEM configuration option enabled, reading the /dev/mem was deniedand the dump attempt failed with the following error:

dd: /dev/mem: Operation not permitted

With this update, kdump has been modified to reuse the /etc/random_seed file instead ofreading /dev/mem. Dumping no longer fails and the core file can now be successfully dumped toa remote target using SSH.

BZ#84 24 76When booting to the kdump kernel and the local file system specified as the dump target wasunmounted, the kernel module required for the respective file-system driver would not have tobe included in dumprd. Consequently, kdump could not mount the dump device and failed tocapture vmcore. With this update, mkdumprd has been modified to always install the requiredfile system module when dumping a core file to the local file system. The vmcore file can besuccessfully captured in this scenario.

BZ#859824When dumping a core file to a remote target using a bonded interface and the target wasconnected by other than the bond0 interface, kdump failed to dump the core file. This happenedbecause a bonding driver in the kdump kernel creates only one bonding interface named bond0by default. This update modifies kdump to use the correct bonding interface in the kdump initscript so that a core file can be dumped as expected in this scenario.

BZ#870957When dumping a core file to a SCSI device over Fibre Channel Protol (FCP) on IBM System z,the zFCP device has to be configured and set online before adding WWPN and SCSI LUN to thesystem. Previously, the mkdumprd utility parsed the zfcp.conf file incorrectly so that the zFCPdevice could not be set up and the kdump kernel became unresponsive during the boot.Consequently, kdump failed to dump a core file to the target SCSI device. With this update,mkdumprd has been modified to parse the zfcp.conf file correctly and kdump can nowsuccessfully dump a core file to the SCSI target on IBM System z. Also, mkdumprd previously


229

always tried to set online Direct Access Storage Devices (DASD) on IBM System z. Thisresulted in the "hush: can't open '/sys/bus/ccw/devices//online': No such file or directory" errormessages to be emitted when booting the kdump kernel in a SCSI-only environment. Thisupdate modifies mkdumprd to skip entries from the dasd.conf file if the Linux on IMB System zruns without DASD devices. The aforementioned error messages no longer occur during thekdump kernel boot in the SCSI-only environment on IBM System z.

BZ#872086Previously, the kexec utility incorrectly recognized the Xen DomU (HVM) guest as the XenDom0 management domain. Consequently, the kernel terminated unexpectedly and the kdumputility generated the vmcore dump file with no NT_PRSTATUS notes. The crash also led to aNULL pointer dereference. With this update, kexec collects positions and sizes ofNT_PRSTATUS from /sys/devices/system/cpu/cpuN/crash_notes on Xen DomU and from/proc/iomem on Xen Dom0. As a result, the crashes no longer occur.

BZ#874 832Due to recent changes, LVM assumes that the udev utility is always present on the system andcreates correct device nodes and links. However, the kdump initramfs image does not containudev so that LVM was unable to create disk devices and kdump failed. With this update, themkdumprd utility modifies the lvm.conf configuration file to inform LVM that initramfs does notcontain functional udev. If the lvm.conf file does not exist, mkdumprd creates it. The LVM nowcreates the devices correctly and kdump works as expected.

BZ#876891Previously, the mlx4_core kernel module was loaded in the kdump kernel on systems usingMellanox ConnectX InfiniBand adapter cards. However, the mlx4_core module requires anextensive amount of memory, which caused these systems to run into an OOM situation andkdump failed. With this update, the second kernel no longer loads the mlx4_core module so thatthe OOM situation no longer occurs and kdump captures the vmcore file successfully in thisscenario.

BZ#88004 0Due to recent changes, the libdevmapper library assumes that the udev utility is always presenton the system and creates correct device nodes for mulitpath devices. However, the kdumpinitramfs image does not contain udev therefore LVM was unable to create disk devices andkdump failed. With this update, the mkdumprd utility sets the DM_DISABLE_UDEV environmentvariable to 1 to inform libdevmapper that the initramfs image does not contain functional udev.The LVM now creates the devices correctly and kdump can successfully dump a core file to amultipath device.

BZ#892703When setting up a network in the kdump kernel, the mkdumprd code incorrectly renamednetwork bridges along with NIC names in the network configuration files. This caused thekdump network setup to fail and the vmcore file could not be captured on the remote target.This update modifies kdump to substitute names of network devices correctly so that thenetwork can be set up and vmcore dumped on the remote target as expected.

Enhancements


230


BZ#82214 6With this update, the mkdumprd utility has been modified to support multipath storage devicesas dump targets, which includes the ability to activate multiple NICs in the second kernel.

BZ#850623This update modifies kdump to always extract the dmesg output from the captured vmcoredump file, and save the output in a separate text file before dumping the core file.

BZ#878200The /usr/share/doc/kexec-tools-2.0.0/kexec-kdump-howto.txt file has been modified to provide acomprehensive list of supported, unsupported, and unknown dump targets under the “DumpTarget support status” section.

Users of kexec-tools are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.105. krb5

6.105.1. RHBA-2013:0319 — krb5 bug fix updateUpdated krb5 packages that fix several bugs are now available for Red Hat Enterprise Linux 6.

Kerberos is a network authentication system which allows clients and servers to authenticate to eachother using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC).


The krb5 packages have been upgraded to upstream version 1.10.3, which provides a number ofbug fixes over the previous version, including better support of cross-domain trust functionality inother packages. (BZ#823926)

Bug Fixes

BZ#771687Older versions of the libsmbclient package incorrectly depended on the krb5_locate_kdc()function, which is no longer supported. Consequently, applications which used older versions oflibsmbclient became incompatible after the Kerberos library update. With this update, an explicitconflict with older versions of libsmbclient has been added. As a result, an incompatiblecombination cannot be installed.

BZ#7734 96Previously, when the krb5-auth-dialog application was used and the prompter was left hangingfor a long period of time, a large clock skew was mistakenly recorded. This clock drift wasapplied in the next kinit session. Consequently, the klist function reported an incorrect expirationtime. This bug has been fixed, and the spurious time offset no longer occurs in the describedscenario.


231





BZ#834 718Previously, when a list of trusted roots of a PKINIT client included the KDC's certificates, certainKDC implementations omitted such anchors from the list of certificates in the signed datastructure. Consequently, the client failed to verify the KDC's signature on the signed data. Withthis update, a backported fix has been included to allow the client to use its own copies ofrelevant certificates. As a result, the verification no longer fails in the aforementioned scenario.

BZ#837855Prior to this update, attempts to use the kinit command with a keytab file often failed when thekeytab file did not contain the Advanced Encryption Standard (AES) keys, but the client'slibraries and the KDC both supported AES. The strongest supported encryption type (AES) waschosen by default, even though it was not present in keytab. Consequently, a mismatch erroroccurred. The bug has been fixed, and keytabs containing any of the supported encryptiontypes are now correctly processed.

BZ#83854 8Previously, the krb5 package did not handle the timeout variable properly. In certain cases, thetimeout variable became a negative number. Consequently, the client entered a loop whilechecking for responses. With this update, the client logic has been modified and the describederror no longer occurs.

BZ#839017Prior to this update, the passwd utility failed when used by an Identity Management client.Consequently, an error occurred with the following message:

token manipulation error

The bug has been fixed, and the passwd utility now works with Identity Management asexpected.

BZ#84 5125, BZ#84 64 72Due to a previous update to a locally-applied patch, files created by the libkrb5 library weregiven correct SELinux labels. However, each flushing of the replay cache caused the file contextconfiguration to be reloaded to ensure that the correct label is applied to the newly-createdreplacement replay cache file. This resulted in large performance degradation in applicationswhich accept authentication and use replay caches. With this update, the context configurationis only loaded when the context configuration file has been modified and the configuration isnow freed only when the library is unloaded or the calling application exits, thus greatly loweringthe impact of this problem.

All users of krb5 are advised to upgrade to these updated packages, which fix these bugs.

6.106. ksh

6.106.1. RHBA-2013:0430 — ksh bug fix and enhancement updateUpdated ksh packages that fix several bugs and add one enhancement are now available for Red HatEnterprise Linux 6.


232






KSH-93 is the most recent version of the KornShell by David Korn of AT&T Bell Laboratories. KornShellis a shell programming language which is also compatible with sh, the original Bourne Shell.

Bug Fixes

BZ#827512Originally, ksh buffered output of a subshell, flushing it when the subshell completed. Thisslowed certain processes that waited for a particular output, because they had to wait for thesubshell to complete. Moreover, it made it difficult to determine the order of events. The newversion of ksh flushes output of the subshell every time the subshell executes a new command.Thanks to this change, processes waiting for the subshell output receive their data after everysubshell command and the order of events is preserved.

BZ#84 6663Previously, the sfprints() function was unsafe to be called during the shell initialization, whichcould corrupt the memory. Consequently, assigning a right-aligned variable to a smaller sizecould result in inappropriate output format. With this update, the sfprints() call is no longer usedin the described scenario, which fixes the format of the output.

BZ#84 6678Due to a bug in the typeset command, when executed with the -Z option, output was beingformatted to an incorrect width. As a result, exporting a right-aligned variable of a smaller sizethan the predefined field size caused it to not be prepended with the "0" character. A patch hasbeen provided and the typeset command now works as expected in the aforementionedscenario.

Enhancement

BZ#869155With this update, ksh has been enhanced to support logging of the shell output.

Users of ksh are advised to upgrade to these updated packages, which fix these bugs and add thisenhancement.

6.107. ledmon

6.107.1. RHBA-2013:0479 — ledmon bug fix and enhancement updateUpdated ledmon packages that fix several bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The ledmon and ledctl are user space applications designed to control LEDs associated with each slotin an enclosure or a drive bay. There are two types of system: 2-LED system (Activity LED, Status LED)and 3-LED system (Activity LED, Locate LED, Fail LED). User must have root privileges to use thisapplication.


233



The ledmon package has been upgraded to upstream version 0.72., which provides a number ofbug fixes and enhancements over the previous version. (BZ#817974)

Users of ledmon are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.108. libburn

6.108.1. RHBA-2012:1273 — libburn bug fix updateUpdated libburn packages that fix one bug are now available for Red Hat Enterprise Linux 6.

problem description Libburn is an open-source library for reading, mastering and writing optical discs.For now this means only CD-R and CD-RW.

BZ#822906Prior to this update, libburn library contained the "burn_write_close_track" command, which wasredundant and not fully supported by all burning drives. As a consequence, the burning processCD-R or CD-RW could log errors while closing a track after the burning process, even if thedata was written correctly. This update removes this redundant call.

All users of gfs-kmod are advised to upgrade to these updated packages, which fix this bug.

6.109. libcgroup

6.109.1. RHBA-2013:0452 — libcgroup bug fix and enhancement updateUpdated libcgroup packages that fix several bugs and add one enhancement are now available for RedHat Enterprise Linux 6.

The libcgroup packages provide tools and libraries to control and monitor control groups.

Bug Fixes

BZ#77354 4Previously, the cgrulesengd daemon ignored the "--sticky" option of the cgexec command and,as a consequence, moved a process to another cgroup when the process called the setuid() orsetgid() functions even if the process had to be stuck to the current cgroup. This bug is nowfixed and the cgrulesengd daemon now checks whether the process is "sticky" or not when theprocess calls setuid or setgid.

BZ#819137Previously, the lscgroup command dropped the first character of a path unless prefixed with aslash, which led to lscgroup generating invalid paths. This bug is now fixed and the generatedpaths are now correct.


234




BZ#84 9757Previously, adding a cgroup after the cgrulesengd daemon had started did not work. As aconsequence, if a directory was created after cgrulesengd was already started, any/etc/cgrules.conf configuration for that directory would not be processed. With this update, aroutine has been added to scan the cgrules.conf file and move matching running tasks in the/proc/pid/ directory into configured cgroups. This new routine is called at init time and also afterinotify events on cgroups. With this update, a routine has been added to scan the cgrules.conffile and move matching running tasks into configured cgroups.

BZ#869990Previously, the cgconfig service was not working properly with read-only file systems. As aconsequence, cgconfig was not able to start with the default configuration on a Red HatEnterprise Virtualization Hypervisor system. This update adds a check for the read-only filesystems to the cgconfig service and it now works as expected with the default configuration onRed Hat Enterprise Virtualization Hypervisor systems.

Enhancement

BZ#738737This update improves the logging facility and error messages generated by libcgroup.

Users of libcgroup are advised to upgrade to these updated packages, which fix these bugs and addthis enhancement.

6.110. libdbi

6.110.1. RHBA-2013:0326 — libdbi bug fix updateUpdated libdbi packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The libdbi packages provide implementation of a database-independent abstraction layer in the Clanguage. This framework allows programmers to write one generic set of code that works with multipledatabases and multiple simultaneous database connections.

Bug Fix

BZ#7334 13Previously, when processing query results, the last row of a query result was not freed due toan off-by-one logic error. This resulted in a memory leak that could become significant afterprocessing a large number of query results. This update corrects an incorrect test condition inthe underlying source code and memory leaks no longer occur in this scenario.

All users of libdbi are advised to upgrade to these updated packages, which fix this bug.

6.111. libdvdread

6.111.1. RHBA-2012:1247 — libdvdread bug fix update


235




Updated libdvdread packages that fix one bug is now available for Red Hat Enterprise Linux 6.

The libdvdread packages contain a simple foundation to read DVD video disks. This provides thefunctionality that is required to access many DVDs.

Bug FixBZ#84 2016

Prior to this update, the dvd_stat_t structure was not public. As a consequence, source codethat required such structures could not be compiled. This update makes the dvd_stat_tstructure public, to allow compiling code with of this type.

All users of libdvdread are advised to upgrade to these updated packages, which fix this bug.

6.112. libguestfs

6.112.1. RHBA-2013:0324 — libguestfs bug fix and enhancement updateUpdated libguestfs packages that fix numerous bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The libguestfs packages contain a library, which is used for accessing and modifying guest disk images.

Bug Fixes

BZ#80164 0Previously, when using the resize2fs -M command and an error due to lack of free spaceoccurred, the returned error message was incorrect and could confuse the user. With thisupdate, a proper error message is returned instead.

BZ#822626Due to a bug in the source code, an error occurred when using the virt-ls --checksumcommand and the following error message was returned:

libguestfs: error: checksum: path: parameter cannot be NULL

The underlying source code has been modified and virt-ls --checksum now works asexpected.

BZ#830369Due to the guestfs_inspect_get_hostname() function, the libguestfs-basedcommands did not work properly when an empty /etc/HOSTNAME file was created on a Linuxguest. This update applies a patch to fix this bug and the libguestfs based commands nowwork in the described scenario.

BZ#836573Previously, the libguestfs library did not handle the /dev/disk/by-id/* paths.Consequently, it was impossible to examine a guest using commands with such a path and anerror message was returned. With this update, a patch has been applied to fix this bug and the libguestfs library no longer returns error in this situation.


236





BZ#837691Previously, under certain conditions, writing to disks in the qcow2 format could cause silentdata loss. The underlying source code has been modified to prevent this behavior and writingto disks in the qcow2 format now works as expected.

BZ#838609Due to a race condition between the guestmount and the fusermount tools, unmouting andthen immediately using a disk image was not safe and could cause data loss or memorycorruption. This update adds the new --pid-file option for guestmount to avoid the racecondition between these tools and attempts to use disk images immediately after unmountingcan no longer cause data loss or memory corruption.

BZ#852396Previously, the libguestfs library limited the total size of downloaded hive files from aWindows Registry to 100 MB. Consequently, an attempt to inspect systems with large amountof hive files caused libguestfs to return an error message. With this update, the limit wasincreased to 300 MB and libguestfs can now inspect a larger Widows Registry properly.

BZ#853763Previously, using the file utility to detect the format of a disk image could produce differentoutput for different versions of this utility. The underlying source code has been modified andoutput is now the same for all versions of the file utility.

BZ#858126Due to a bug in the underlying source code, the virt-inspector tool failed to work withcertain Windows guests. This update applies a patch to fix this bug and virt-inspectornow supports all Windows guests as expected.

BZ#85864 8Due to recent changes in the iptables packages, the libguestfs library could not be installedwith the new version of the iptables tool. The underlying source code has been modified tofix this bug and the installation of libguestfs works as expected.

BZ#8724 54Previously, the libguestfs library detected the Red Hat Enterprise Linux 5.1 guests asNetBSD guests. This update applies a patch to fix this bug and libguestfs now detects RedHat Enterprise Linux 5.1 guest correctly.

BZ#880805The virt-df command with -a or -d arguments works correctly only with a single guest. Anattempt to use this command with multiple arguments, such as virt-df -a RHEL-Server-5.9-32-pv.raw -a opensuse.img, caused the disk image names to be displayedincorrectly. With this update, the plus sign (“+”) is displayed for each additional disk, so that theuser can easily recognize them. In addition, the correct usage of the virt-df command hasbeen described in the virt-df(1) man page.


237







Enhancements

BZ#830135This enhancement improves the libguestfs library to support mount-local APIs.

BZ#836501With this update, the dependency on the fuse packages has been added to libguestfsdependencies.

All users of libguestfs are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.113. libhbaapi

6.113.1. RHEA-2013:0416 — libhbaapi enhancement updateUpdated libhbaapi packages that add one enhancement are now available for Red Hat Enterprise Linux6.

The libhbaapi library is the Host Bus Adapter (HBA) API library for Fibre Channel and Storage AreaNetwork (SAN) resources. It contains a unified API that programmers can use to access, query, observe,and modify SAN and Fibre Channel services.

Enhancement

BZ#862386This update converts libhbaapi code to a merged upstream repository at Open-FCoE.org.Consequently, the libhbaapi packages are no longer compiled from different sources, thusmaking maintenance and further development easier.

Users of libhbaapi are not required to upgrade to these updated packages as the change introduced bythem is purely formal and does not affect functionality.

6.114. libhbalinux

6.114.1. RHBA-2013:0415 — libhbalinux bug fix and enhancement updateUpdated libhbalinux packages that fix multiple bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The libhbalinux package contains the Host Bus Adapter API (HBAAPI) vendor library which usesstandard kernel interfaces to obtain information about Fiber Channel Host Buses (FC HBA) in thesystem.


238






The libhbalinux packages have been upgraded to upstream version 1.0.14, which provides anumber of bug fixes and enhancements over the previous version. (BZ#819936)

All users of libhbalinux are advised to upgrade to these updated libhbalinux packages, which fix thesebugs and add these enhancements.

6.115. libical

6.115.1. RHBA-2013:0471 — libical bug fix updateUpdated libical packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The libical packages provide a reference implementation of the iCalendar data type and serializationformat used in dozens of calendaring and scheduling products.

Bug Fix

BZ#664 332The libical packages can be configured to abort when parsing improperly formatted iCalendardata, primarily useful for testing and debugging. In Red Hat Enterprise Linux this behavior isdisabled, but some parts of the libical source code were improperly checking for this option.Consequently, the library aborted even if configured not to do so. The underlying source codehas been modified and libical no longer aborts in the described scenario.

All users of libical are advised to upgrade to these updated packages, which fix this bug.

6.116. libica

6.116.1. RHEA-2013:0399 — libica enhancement updateUpdated libica packages that add one enhancement are now available for Red Hat Enterprise Linux 6.

The libica library contains a set of functions and utilities for accessing the IBM eServer CryptographicAccelerator (ICA) hardware on IBM System z.

Enhancement

BZ#738835The libica library has been modified to allow usage of new algorithms that support the MessageSecurity Assist Extension 4 instructions in the Central Processor Assist for CryptographicFunction (CPACF) feature. For the DES and 3DES block ciphers, the new feature supports thefollowing modes of operation:

Cipher Block Chaining with Ciphertext Stealing (CBC-CS)

Cipher-based Message Authentication Code (CMAC)

For the AES block cipher, this feature supports the following modes of operation:


239



Cipher Block Chaining with Ciphertext Stealing (CBC-CS)

Counter with Cipher Block Chaining Message Authentication Code (CCM)

Galois/Counter (GCM)

With this acceleration of complex cryptographic algorithms, performance of IBM System zmachines significantly improves.

All users of libica are advised to upgrade to these updated packages, which add this enhancement.

6.117. libldb

6.117.1. RHBA-2013:0372 — libldb bug fix and enhancement updateUpdated libldb packages that fix several bugs and add various enhancements are now available for RedHat Enterprise Linux 6.

The libldb packages provide an extensible library that implements an LDAP-like API to access remoteLDAP servers, or use local TDB databases.


The libldb packages have been upgraded to upstream version 1.1.13, which provides a number ofbug fixes and enhancements over the previous version. One of the most significant changes isthat the source code of libldb is no longer a part of the samba4 packages but has been extractedto a separate SRPM package. This resolves the problem caused by recent changes in the Sambabuild system, which made the libldb library impossible to build as a shared library from the Sambatarball. (BZ#859229)

Bug Fix

BZ#8734 22Recent changes in the Samba compiling script caused libldb to expose internal functions andsymbols in the public interface. This could lead to various linking and building problems if theseinternal symbols were used directly out of the libldb code. This update corrects the compilingscript so that internal symbols of libldb are no longer exported and visible in the libldb publicinterface.

All users of libldb are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.118. libqb

6.118.1. RHBA-2013:0323 — libqb bug fix and enhancement updateUpdated libqb packages that fix several bugs and add various enhancements are now available for RedHat Enterprise Linux 6.

The libqb packages provide a library with the primary purpose of providing high performance client


240



server reusable features, such as high performance logging, tracing, inter-process communication, andpolling.


The libqb packages have been upgraded to upstream version 0.14.2, which provides a number ofbug fixes and enhancements over the previous version. (BZ#845275)

Bug Fix

BZ#8694 4 6Previously, a timeout argument given to the qb_ipcc_recv() API function was not passed to poll()while waiting for a reply. Consequently, this function could consume nearly 100% CPUresources and affect the pacemaker utility. This bug has been fixed by passing the timeoutvalue to poll() in qb_ipcc_recv(). As a result, the timeout period is honored as expected andpacemaker works correctly in such a case.

All libqb users are advised to upgrade to these updated packages, which fix these bugs and add theseenhancements.

6.119. libsemanage

6.119.1. RHBA-2013:0465 — libsemanage bug fix updateUpdated libsemanage packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The libsemanage library provides an API for the manipulation of SELinux binary policies. It is used bycheckpolicy (the policy compiler) and similar tools, as well as by programs such as load_policy, whichmust perform specific transformations on binary policies (for example, customizing policy booleansettings).

Bug Fixes

BZ#798332Previously, the "usepasswd" parameter was not available in the /etc/selinux/semanage.conf file.This update adds the missing "usepasswd" parameter to this file.

BZ#829378When a custom SELinux policy module was loaded with an error, an error message that was notvery informative was returned. This update fixes the error message to be more helpful forusers.

All users of libsemanage are advised to upgrade to these updated packages, which fix these bugs.

6.120. libsoup

6.120.1. RHBA-2013:0313 — libsoup bug fix update


241





Updated libsoup packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The libsoup packages provide an HTTP client and server library for GNOME.

Bug Fixes

BZ#657622Prior to this update, the clock-applet did not handle canceled requests during a DNS lookupcorrectly and accessed already freed memory. As a consequence, the weather view of theclock-applet could, under certain circumstances, abort with a segmentation fault when updatingthe weather if the hostname of the weather server needed more than 30 seconds, for exampledue to network problems. This update modifies the underlying code to allow requests that taketoo long to be canceled.

BZ#74 6587Prior to this update, the weather view of the clock-applet tried to connect to the weather serverindefinitely as fast as it could if the weather server (or an HTTP proxy) closed the connectionwithout responding. This update modifies the underlying code to retry a request only if theserver unexpectedly closes a previously-used connection, not a new connection. Now, libsoupreturns a "Connection terminated unexpectedly" error, so the clock-applet does not update theweather display, and tries again later.

All users of libsoup are advised to upgrade to these updated packages, which fix these bugs.

6.121. libssh2

6.121.1. RHBA-2013:0329 — libssh2 bug fix and enhancement updateUpdated libssh2 packages that fix several bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The libssh2 packages provide a library that implements the SSH2 protocol.


The libssh2 packages have been upgraded to upstream version 1.4.2, which provides a numberof bug fixes and enhancements over the previous version, including fixes for memory leaks,missing error handling, and incompatibilities in the SSH2 protocol implementation. (BZ#749873)

Bug Fixes

BZ#74 1919With this update, several stability patches have been added to libssh2. As a result, memoryleaks, buffer overruns, and null pointer problems are avoided when managing a large number ofnodes.

BZ#8014 28Previously, an insufficient data type was used for certain bit shift operations in the libssh2 code.This behavior caused the curl utility to terminate unexpectedly when downloading files larger


242



than 2 GB over the SSH File Transfer Protocol (SFTP). With this update, the underlying codehas been modified to use the correct data type and curl now works as expected in thedescribed scenario.

BZ#804 14 5Under certain circumstances, libssh2 failed to resume an interrupted key exchange whensending a large amount of data over SSH. Moreover, further data was erroneously sent, whichcaused the remote site to close the connection immediately. With this update, libssh2 has beenmodified to properly resume the interrupted key exchange before sending any further data. As aresult, the connection remains open and the data transfer proceeds as expected.

BZ#804 150Previously, the function for writing to a channel in libssh2 incorrectly handled error states,which, under certain circumstances, resulted in an infinite loop. The function has been fixed andthe error handling now works properly.

BZ#806862, BZ#873785Previously, the window size adjustment in libssh2 did not work properly, which resulted inunclosed connections when transferring huge files over SCP or SFTP, extensive memoryconsumption or both. The window-adjusting code has been fixed and works now properly forblocks of arbitrary size.

BZ#826511Previously, libssh2 incorrectly returned the LIBSSH2_ERROR_EAGAIN error code whenoperating in blocking mode. The error code is used by libssh2 internally to initiate a blockingoperation on a socket. The error code was, however, not properly cleared on success andleaked through the public API of libssh2. An upstream patch has been applied to clear the errorcode prior to initiating the blocking operation, and libssh2 no longer returnsLIBSSH2_ERROR_EAGAIN when operating in blocking mode.

All users of libssh2 are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements. After installing these updated packages, all running applications using libssh2have to be restarted for this update to take effect.

6.122. libtalloc

6.122.1. RHBA-2013:0352 — libtalloc bug fix updateUpdated libtalloc packages that fix several bugs are now available for Red Hat Enterprise Linux 6.

The libtalloc packages provide a library that implements a hierarchical memory allocator with destructors.


The libtalloc packages have been upgraded to upstream version 2.0.7, which provides a numberof bug fixes over the previous version. (BZ#766335)


243








All libtalloc users are advised to upgrade to these updated packages, which fix these bugs.

6.123. libtdb

6.123.1. RHBA-2013:0353 — libtdb bug fix and enhancement updateUpdated libtdb packages that fix multiple bugs and add various enhancements are now available for RedHat Enterprise Linux 6

The libtdb packages provide a library that implements the Trivial Database (TDB). TDB is a simplehashed database that uses internal locking to allow multiple simultaneous writers and readers.


The libtdb packages have been upgraded to upstream version 1.2.10, which provides a numberof bug fixes and enhancements over the previous version. These updated libtdb packages arecompliant with requirements of Samba 4. (BZ#766334)

All users of libtdb are advised to upgrade to these updated packages, which fix these bugs and addsthese enhancements.

6.124. libtevent

6.124.1. RHBA-2013:0354 — libtevent bug fix and enhancement updateUpdated libtevent packages that fix several bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The libtevent packages provide Tevent, an event system based on the talloc memory managementlibrary. Tevent supports many event types, including timers, signals, and the classic file descriptorevents. Tevent also provides helpers to deal with asynchronous code represented by the tevent_req(Tevent Request) functions.


The libtevent packages have been upgraded to upstream version 0.9.17, which provides anumber of bug fixes and enhancements over the previous version. These updated libteventpackages are compliant with requirements of Samba 4. (BZ#766336)

All users of libtevent are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.125. libusb1

6.125.1. RHBA-2013:0310 — libusb1 bug fix updateUpdated libusb1 packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The libusb1 packages provide a library to communicate with USB devices from userspace.


244






Bug Fixes

BZ#820205Prior to this update, the usbredir network protocol caused a conflict with the libusb library. As aconsequence, SPICE USB-redirection failed with the following errors in the virt-viewer tool:usbredirhost error: submitting bulk transfer on ep 02: -1" when trying to redirect one USBdevice to two guests simultaneously. This update modifies the underlying code to send theerror message "Device is busy" and fail after the second attempt.

BZ#830751Prior to this update, USB Request Blocks (URBs) from the user space were not allowed to havetransfer buffers larger than an arbitrary maximum. As a consequence, attempting to redirectcertain USB mass-storage devices could fail. This update modifies the underlying code to allowprograms to submit URBs of any size. If there is not sufficient memory available, the submissionfails with an ENOMEM error. In addition, this update also replaces the old limits on individualtransfer buffers with a single global limit of 16MB on the total amount of memory in use by theUSB file system (usbfs) to prevent programs from submitting a lot of small URBs and so usingall the DMA-able kernel memory.

All users of libusb1 are advised to upgrade to these updated packages, which fix these bugs.

6.126. libvirt-cim

6.126.1. RHBA-2013:0449 — libvirt-cim bug fix updateUpdated libvirt-cim packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The libvirt-cim package contains a Common Information Model (CIM) provider based on CommonManageability Programming Interface (CMPI). It supports most libvirt virtualization features and allowsmanagement of multiple libvirt-based platforms.

Bug Fixes

BZ#805892If the sblim-sfcb package was installed on the system, rebuilding the libvirt-cim package failedwith an error due to an incomplete substitution in the Makefile. The substitution has beencorrected and rebuilding libvirt-cim now works as expected.

BZ#864 096When upgrading the libvirt-cim package to a newer version after libvirt-cim had registered itsclasses with a cim-server, the %preun code unregistered the classes leaving the systemwithout libvirt-cim classes being registered. Now the libvirt-cim package only unregisters thelibvirt-cim classes on uninstall.

Users of libvirt-cim are advised to upgrade to these updated packages, which fix these bugs.

6.127. libvirt-java


245




6.127.1. RHBA-2013:0325 — libvirt-java bug fix and enhancement updateUpdated libvirt-java packages that fix several bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The libvirt-java packages provide Java bindings to use libvirt, which is the virtualization API to manageand interact with virtualization capabilities.


The libvirt-java packages have been upgraded to upstream version 0.4.9, which provides anumber of bug fixes and enhancements over the previous version. (BZ#838046)

Bug Fix

BZ#836920Due to a failing Java Native Access (JNA) conversion, the "setSchedulerParameters()" methodfor domains did not process input parameters properly. With this update, the conversionprocess has been modified. As a result, setSchedulerParameters() now works as expected.

All users of libvirt-java are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.128. libvirt

6.128.1. RHBA-2013:0664 — libvirt bug fix and enhancement updateUpdated libvirt packages that fix several bugs and add one enhancement are now available for Red HatEnterprise Linux 6.

The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux andother operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

Bug Fixes

BZ#908836The AMD family 15h processors CPU architecture consists of "modules", which arerepresented both as separate cores and separate threads. Management applications neededto choose between one of the approaches, and libvirt did not provide enough information to dothis. Management applications were not able to represent the modules in an AMD family 15hprocessors core according to their needs. The capabilities XML output now contains moreinformation about the processor topology, so that the management applications can extract theinformation they need.

BZ#913624When auto-port and port were not specified, but the tlsPort attribute was set to "-1", the tlsPortparameter specified in the QEMU command line was set to "1" instead of a valid port.Consequently, QEMU failed, because it was unable to bind a socket on the port. This updatereplaces the current QEMU driver code for managing port reservations with the newvirPortAllocator APIs, and QEMU is able to bind a socket on the port.


246





BZ#91534 4Previously, libvirtd was unable to execute an s3/s4 operation for a Microsoft Windows guestwhich ran the guest agent service. Consequently, this resulted in a "domain s4 fail" errormessage, due to the domain being destroyed. With this update, the guest is destroyedsuccessfully and the libvirtd service no longer crashes.

BZ#91534 7When a VM was saved into a compressed file and decompression of that file failed while libvirtwas trying to resume the VM, libvirt removed the VM from the list of running VMs, but did notremove the corresponding QEMU process. With this update, the QEMU process is killed in suchcases. Moreover, non-fatal decompression errors are now ignored and a VM can besuccessfully resumed if such an error occurs.

BZ#91534 8Python bindings for libvirt contained incorrect implementation of getDomain() and getConnect()methods in virDomainSnapshot class. Consequently, the Python client terminated unexpectedlywith a segmentation fault. Python bindings now provide proper domain() and connect()accessors that fetch Python objects stored internally within virDomainSnapshot instance andcrashes no longer occur.

BZ#91534 9Previously, libvirt added a cache of storage file backing chains, rather than rediscovering thebacking chain details on every operation. This cache was then used to decide which files tolabel for sVirt, but when libvirt switched over to use the cache, the code only populated whencgroups were in use. On setups that did not use cgroups, due to the lack of backing chaincache information, sVirt was unable to properly label backing chain files, which caused aregression observed by guests being prevented from running. Now, populating the cache wasmoved earlier, to be independent of cgroups, the cache results in more efficient sVirtoperations, and now works whether or not cgroups are in effect.

BZ#915353Occasionally, when users ran multiple virsh create/destroy loops, a race condition could haveoccurred and libvirtd terminated unexpectedly with a segmentation fault. False error messagesregarding the domain having already been destroyed to the caller also occurred. With thisupdate, the outlined script is run and completes without libvirtd crashing.

BZ#915354Previously, libvirt followed relative backing chains differently than QEMU. This resulted inmissing sVirt permissions when libvirt could not follow the chain. With this update, relativebacking files are now treated identically in libvirt and QEMU, and VDSM use of relative backingfiles functions properly.

BZ#915363Previously, libvirt reported raw QEMU errors when snapshots failed, and the error messageprovided was confusing. With this update, libvirt now gives a clear error message when QEMUis not capable of snapshots, which enables more informative handling of the situation.


247







BZ#917063Previously, libvirt was not tolerant of missing unpriv_sgio support in running kernel even thoughit was not necessary. After upgrading the host system to Red Hat Enterprise Linux 6.4, userswere unable to start domains using shareable block disk devices unless they rebooted the hostinto the new kernel. The check for unpriv_sgio support is only performed when it is reallyneeded, and libvirt is now able to start all domains that do not strictly require unpriv_sgiosupport regardless of host kernel support for it.

BZ#918754When asked to create a logical volume with zero allocation, libvirt ran lvcreate to create avolume with no extends, which is not permitted. Creation of logical volumes with zero allocationfailed and libvirt returned an error message that did not mention the real error. Now, rather thanasking for no extends, libvirt tries to create the volume with a minimal number of extends. Thecode is also fixed to provide the real error message should the volume creation process fail.Logical volumes with zero allocation can now be successfully created using libvirt.

BZ#919504Previously, when users started the guest with a sharable block CD-Rom, libvirtd failedunexpectedly due to accessing memory that was already freed. This update addresses theaforementioned issue, and libvirtd no longer crashes in the described scenario.

BZ#922095Various memory leaks in libvirtd were discovered when users ran Coverity and Valgrind leakdetection tools. This update addresses these issues, and libvirtd no longer leaks memory in thedescribed scenario.

Enhancement

BZ#915352This update adds support for ram_size settings to the QXL device. When using multiple headsin one PCI device, the device needed more RAM assigned. Now, the memory of the RAM barsize is set larger than the default size and libvirt can drive multi-head QXL.

Users of libvirt are advised to upgrade to these updated packages, which fix these bugs and add thisenhancement. After installing the updated packages, libvirtd will be restarted automatically.

6.128.2. RHSA-2013:0276 — Moderate: libvirt bug fix, and enhancement updateUpdated libvirt packages that fix one security issue, multiple bugs, and add various enhancements arenow available for Red Hat Enterprise Linux 6.


The libvirt packages provide the libvirt library which is a C API for managing and interacting with thevirtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools forremote management of virtualized systems.


248





The libvirt packages have been upgraded to upstream version 0.10.2, which provides a numberof bug fixes and enhancements over the previous version, such as support for Open vSwitch,a new API for detailed CPU statistics, improved support of LXC method including the sVirttechnology, improvements of the virsh edit command, improved APIs for listing variousobjects and support for pinning and tuning emulator threads. (BZ#836934)

Security Fixes

CVE-2012-34 11It was discovered that libvirt made certain invalid assumptions about dnsmasq's command lineoptions when setting up DNS masquerading for virtual machines, resulting in dnsmasqincorrectly processing network packets from network interfaces that were intended to beprohibited. This update includes the changes necessary to call dnsmasq with a new commandline option, which was introduced to dnsmasq via RHSA-2013:0277.

In order for libvirt to be able to make use of the new command line option (--bind-dynamic),updated dnsmasq packages need to be installed. Refer to RHSA-2013:0277 for additionalinformation.

Bug Fixes

BZ#794 523The libvirt library was issuing the PAUSED event before the QEMU processor emulatorreally paused. Consequently, a domain could be reported as paused before it was actuallypaused, which could confuse a management application using the libvirt library. With thisupdate, the PAUSED event is started after QEMU is stopped on a monitor and the managementapplication is no longer confused by libvirt.

BZ#797279, BZ#808980, BZ#869557The fixed limit for the maximum size of an RPC message that could be sent between the libvirtd daemon and a client, such as the virsh utility, was 65536 bytes. However, this limitwas not always sufficient and messages that were longer than that could be dropped, leaving aclient unable to fetch important data. With this update, the buffer for incoming messages hasbeen made dynamic and both sides, a client and libvirtd, now allocate as much memory asis needed for a given message, thus allowing to send much bigger messages.

BZ#807996Previously, repeatedly migrating a guest between two machines while using the tunnelledmigration could cause the libvirtd daemon to lock up unexpectedly. The bug in the code forlocking remote drivers has been fixed and repeated tunnelled migrations of domains now workas expected.

BZ#814 664Previously, multiple libvirt API calls were needed to determine the full list of guests on ahost controlled by the libvirt library. Consequently, a race condition could occur when aguest changed its state between two calls that were needed to enumerate started and stopped


249







guests. This behavior caused the guest to disappear from both of the lists, because the time ofenumeration was not considered to be a part of the lists. This update adds a new API functionallowing to gather the guest list in one call while the driver is locked. This guarantees that noguest changes its state before the list is gathered so that guests no longer disappear in thedescribed scenario.

BZ#8184 67Previously, libvirt did not report many useful error messages that were returned by externalprograms such as QEMU and only reported a command failure. Consequently, certain problems,whose cause or resolution could be trivial to discover by looking at the error output, weredifficult to diagnose. With this update, if any external command run by libvirt exits with afailure, its standard error output is added to the system log as a libvirt error. As a result,problems are now easier to diagnose, because better information is available.

BZ#823716Closing a file descriptor multiple times could, under certain circumstances, lead to a failure toexecute the qemu-kvm binary. As a consequence, a guest failed to start. A patch has beenapplied to address this issue, so that the guest now starts successfully.

BZ#825095Prior to this update, libvirt used an unsuitable detection procedure to detect NUMA andprocessor topology of a system. Consequently, topology of some advanced multi-processorsystems was detected incorrectly and management applications could not utilize the fullpotential of the system. Now, the detection has been improved and the topology is properlyrecognized even on modern systems.

BZ#825820Previously, the libvirt library had hooks for calling a user-written script when a guest wasstarted or stopped, but had no hook to call a script for each guest when the libvirtd daemonitself was restarted. Consequently, certain custom setups that required extra operations notdirectly provided by libvirt could fail when libvirtd was restarted. For example, packetforwarding rules installed to redirect incoming connections to a particular guest could beoverridden by libvirt's “refresh” of its own iptables packet forwarding rules, breaking theconnection forwarding that had been set up. This update improves libvirt with a new“reconnect” hook; the QEMU hook script is called with a type of “reconnect” for every activeguest each time libvirtd is restarted. Users can now write scripts to recognize the“reconnect” event, and for example reload the user-supplied iptables forwarding rules when thisevent occurs. As a result, incoming connections continue to be forwarded correctly, even when libvirtd is restarted.

BZ#828729On certain NUMA architectures, libvirt failed to process and expose the NUMA topology,sometimes leading to performance degradation. With this update, libvirt can parse andexpose the NUMA topology on such machines and makes the correct CPU placement, thusavoiding performance degradation.

BZ#831877The virsh undefine command supports deleting volumes associated with a domain. When


250




using this command, the volumes are passed as additional arguments and if the user adds anytrailing string after the basic command, the string is interpreted as a volume to be deleted.Previously, the volumes were checked after the guest was deleted, which could lead to user'serrors. With this update, the check of the volume arguments is performed before the deletingprocess so that errors can be reported sensibly. As a result, the command with an incorrectargument fails before it attempts to delete a guest and the host system stays in a sane state.

BZ#832081Due to several bugs in the implementation of keep-alive messages that are used for thedetection of broken connections or non-functional peers, these connections and peers could beincorrectly considered broken or non-functional and thus the keep-alive messages weredisabled by default in Red Hat Enterprise Linux 6.3. The implementation of the keep-alivemessages has been fixed and this feature is now enabled by default.

BZ#834 927Previously, a reversed condition in a check which is used during registering callbacksprevented multiple callbacks from being registered. This update applies a patch to fix thiscondition and multiple callbacks can be registered successfully now.

BZ#836135The SPICE server needs certain time at the end of the migration process to transfer an internalstate to a destination guest. Previously, the libvirt library could kill the source QEMU andthe SPICE server before the internal state was transmitted. This behavior caused thedestination client to be unresponsive. With this update, libvirt waits until the end of SPICEmigration. As a result, the SPICE server no longer becomes unresponsive in this situation.

BZ#837659When using the sanlock daemon for locking resources used by a domain, if such a resourcewas read-only, the locking attempt failed. Consequently, it was impossible to start a domain witha CD-ROM drive. This bug has been fixed and sanlock can now be properly used with read-only devices.

BZ#839661Previously, the libvirt library did not support the S4 (Suspend-to-Disk) event on QEMUdomains. Consequently, management applications could not register whether a guest wassuspended to disk or powered off. With this update, support for S4 event has been added andmanagement applications can now request receiving S4 events.

BZ#84 2208Due to an installation of the vdsm daemon, the libvirt library was reconfigured and undercertain conditions, libvirt was searching for a non-existing option when used outside of vdsm . Consequently, using the virsh utility on such a machine caused the system to terminatewith a segmentation fault. The underlying source code has been modified to fix this bug andusers can now use virsh on machines configured by vdsm as expected.

BZ#84 4 266Previously, a condition in a check, which is used for checking if modification of a domain XML in


251







a saved file was successful or not, was inverted. Consequently, the virsh utility reported thatthis check failed even if it was successful and vice versa. This update applies a patch to fix thisbug and success and failure of this check are reported correctly now.

BZ#84 4 4 08Disk hot plug is a two-part action: the qemuMonitorAddDrive() call is followed by the qemuMonitorAddDevice() call. When the first part succeeded but the second one failed, libvirt failed to roll back the first part and the device remained in use even though the diskhot plug failed. With this update, the rollback for the drive addition is properly performed in thedescribed scenario and disk hot plug now works as expected.

BZ#84 54 4 8Previously the SIGINT signal was not blocked when the virDomainGetBlockJobInfo()function was performed. Consequently, an attempt to abort a process initialized by a commandwith the --wait option specified using the CTRL+C shortcut did not work properly. This updateapplies a patch to block SIGINT during virDomainGetBlockJobInfo() and abortingprocesses using the CTRL+C shortcut now works as expected.

BZ#84 5635Previously, an unspecified error with a meaningless error code was returned when a guestagent became unresponsive. Consequently, management applications could not recognize whythe guest agent hung; whether the guest agent was not configured or was unusable. Thisupdate introduces a new VIR_ERR_AGENT_UNRESPONSIVE error code and fixes the errormessage. As a result, management applications now can recognize why the guest agent hangs.

BZ#84 6639Due to a bug in the libvirt code, two mutually exclusive cases could occur. In the first case,a guest operating system could fail do detect that it was being suspended because thesuspend routine is handled by hypervisor. In the second case, the cooperation of the guestoperating system was required, for example during synchronization of the time after the resumeroutine. Consequently, it was possible to successfully call the suspend routine on a domain withthe pmsuspended status and libvirt returned success on operation, which in fact failed.This update adds an additional check to prevent libvirt from suspending a domain with the pmsuspended status.

BZ#851397Due to recent changes in port allocation, SPICE ports and SPICE TLS ports were the same.Consequently, QEMU domains started with both options configured to use the same port andSPICE TLS ports could not allocate one port twice. With this update, the port allocation hasbeen fixed and the QEMU domains now work as expected in this situation.

BZ#853567A virtual guest can have a network interface that is connected to an SR-IOV (Single Root I/OVirtualization) device's virtual function (VF) using the macvtap driver in passthrough mode,and from there is connected to an 802.1Qbh-capable switch. Previously, when shutting downthe guest, libvirt erroneously set SR-IOV device's physical function (PF) instead of VF andthe PF offline rather than setting the VF offline. Here is an example of the type of an interfacethat could be affected:


252







<interface type='direct'> <source dev='eth7' mode='passthrough'/> <virtualport type='802.1Qbh'> <parameters profileid='test'/> </virtualport> </interface>

Consequently, if PF was being used by the host for its own network connectivity, the hostnetworking would be adversely affected, possibly completely disabled, whenever the guest wasshut down, or when the guest's network device was detached. The underlying source code hasbeen modified to fix this bug and the PF associated with the VF used by the macvtap drivernow continues to work in the described scenario.

BZ#85624 7Red Hat Enterprise Linux 6.3 implemented the block copy feature before the upstreamversion of QEMU. Since then, several improvements were made to the upstream version of thisfeature. Consequently, previous versions of the libvirt library were unable to fully managethe block copy feature in current release of QEMU. With this update, the block copyfeature has been updated to upstream versions of QEMU and libvirt. As a result, libvirtis able to manage all versions of the block copy feature.

BZ#856864Previously, libvirt put the default USB controller into the XML configuration file during the livemigration to Red Hat Enterprise Linux 6.1 hosts. These hosts did not support USB controllers inthe XML file. Consequently, live migration to these hosts failed. This update prevents libvirtfrom including the default USB controller in the XML configuration file during live migration andlive migration works properly in the described scenario.

BZ#856950When a QEMU process is being destroyed by libvirt, a clean-up operation frees someinternal structures and locks. However, since users can destroy QEMU processes at the sametime, libvirt holds the QEMU driver mutex to protect the list of domains and their states,among other things. Previously, a function tried to lock up the QEMU driver mutex when it wasalready locked, creating a deadlock. The code has been modified to always check if the mutexis free before attempting to lock it up, thus fixing this bug.

BZ#858204When the host_uuid option was present in the libvirtd.conf file, the augeas libvirtlens was unable to parse the file. This bug has been fixed and the augeas libvirt lens nowparses libvirtd.conf as expected in the described scenario.

BZ#862515Previously, handling of duplicate MAC addresses differed between live attach or detach, andpersistent attach or detach of network devices. Consequently, the persistent attach-interface ofa device with a MAC address that matches an existing device could fail, even though the liveattach-interface of such a device succeed. This behavior was inconsistent, and sometimes ledto an incorrect device being detached from the guest. With this update, libvirt has beenmodified to allow duplicate MAC addresses in all cases and to check a unique PCI address inorder to distinguish between multiple devices with the same MAC address.


253





BZ#863115Previously, libvirt called the qemu-kvm -help command every time it started a guest tolearn what features were available for use in QEMU. On a machine with a number of guests,this behavior caused noticeable delays in starting all of the guests. This update modifies libvirt to store information cache about QEMU until the QEMU time stamp is changed. As aresult, libvirt is faster when starting a machine with various guests.

BZ#865670Previously, the ESX 5.1 server was not fully tested. Consequently, connecting to ESX 5.1caused a warning to be returned. The ESX 5.1 server has been properly tested andconnecting to this server now works as expected.

BZ#866369Under certain circumstances, the iohelper process failed to write data to disk while saving adomain and kernel did not report an out-of-space error (ENOSPC). With this update, libvirtcalls the fdatasync() function in the described scenario to force the data to be written to diskor catch a write error. As a result, if a write error occurs, it is now properly caught and reported.

BZ#866388Certain operations in libvirt can be done only when a domain is paused to prevent datacorruption. However, if a resuming operation failed, the management application was not notifiedsince no event was sent. This update introduces the VIR_DOMAIN_EVENT_SUSPENDED_API_ERROR event and management applications can nowkeep closer track of domain states and act accordingly.

BZ#866999When libvirt could not find a suitable CPU model for a host CPU, it failed to provide the CPUtopology in host capabilities even though the topology was detected correctly. Consequently,applications that work with the host CPU topology but not with the CPU model could not see thetopology in host capabilities. With this update, the host capabilities XML description contains thehost CPU topology even if the host CPU model is unknown.

BZ#869096Previously, libvirt supported the emulatorpin option to set the CPU affinity for a QEMUdomain process. However, this behavior overrode the CPU affinity set by the vcpu placement="auto" setting when creating a cgroup hierarchy for the domain process. ThisCPU affinity is set with the advisory nodeset from the numad daemon. With this update, libvirt does not allow emulatorpin option to change the CPU affinity of a domain processif the vcpu placement setting is set to auto. As a result, the numad daemon is supportedas expected.

BZ#873792The libvirt library allows users to cancel an ongoing migration. Previously, if an attempt tocancel the migration was made in the migration preparation phase, QEMU missed the requestand the migration was not canceled. With this update, the virDomainAbortJob() functionsets a flag when a cancel request is made and this flag is checked before the main phase of


254








the migration starts. As a result, a migration can now be properly canceled even in thepreparation phase.

BZ#874 050Certain AMD processors contain modules which are reported by the kernel as both threads andcores. Previously, the libvirt processor topology detection code was not able to detectthese modules. Consequently, libvirt reported the actual number of processors twice. Thisbug has been fixed by reporting a topology that adds up to the total number of processorsreported in the system. However, the actual topology has to be checked in the output of the virCapabilities() function. Additionally, documentation for the fallback output has beenprovided.

Note

Note that users should be instructed to use the capability output for topology detectionpurposes due to performance reasons. The NUMA topology has the important impactperformance-wise but the physical topology can differ from that.

BZ#879780Due to changes in the virStorageBackendLogicalCreateVol() function, the setting ofthe volume type was removed. Consequently, logical volumes were treated as files without anyformat and libvirt was unable to clone them. This update provides a patch to set the volumetype and libvirt clones logical volumes as expected.

BZ#880919When a saved file could not be opened, the virFileWrapperFdCatchError() functionwas called with a NULL argument. Consequently, the libvirtd daemon terminatedunexpectedly due to a NULL pointer dereference. With this update, the virFileWrapperFdCatchError() function is called only when the file is open and insteadof crashing, the daemon now reports an error.

BZ#884 650Whenever the virDomainGetXMLDesc() function was executed on an unresponsive domain,the call also became unresponsive. With this update, QEMU sends the BALLOON_CHANGEevent when memory usage on a domain changes so that virDomainGetXMLDesc() nolonger has to query an unresponsive domain. As a result, virDomainGetXMLDesc() calls nolonger hang in the described scenario.

Enhancements

BZ#638512This update adds support for external live snapshots of disks and RAM.

BZ#693884Previously, libvirt could apply packet filters, among others the anti-spoofing filter, to guestnetwork connections using the nwfilter subsystem. However, these filter rules required manually


255





entering the IP address of a guest into the guest configuration. This process was not effectivewhen guests were acquired their IP addresses via the DHCP protocol; the network needed amanually added static host entry for each guest and the guest's network interface definitionneeded that same IP address to be added to its filters. This enhancement improves libvirtto automatically learn IP and MAC addresses used by a guest network connection by monitoringthe connection's DHCP and ARP traffic in order to setup host-based guest-specific packetfiltering rules that block traffic with incorrect IP or MAC addresses from the guests. With thisnew feature, nwfilter packet filters can be written to use automatically detected IP and MACaddresses, which simplifies the process of provisioning a guest.

BZ#724 893When the guest CPU definition is not supported due to the user's special configuration, an errormessage is returned. This enhancement improves this error message to contain flags thatindicate precisely which options of the user's configuration are not supported.

BZ#7714 24The Resident Set Size (RSS) limits control how much RAM can a process use. If a processleaks memory, the limits do not let the process influence other processes within the system.With this update, the RSS limits of a QEMU process are set by default according to how muchRAM and video RAM is configured for the domain.

BZ#772088Previously, the libvirt library could create block snapshots, but could not clean them up. Fora long-running guest, creating a large number of snapshots led to performance issues as theQEMU process emulator had to traverse longer chains of backing images. This enhancementimproves the libvirt library to control the feature of the QEMU process emulator which isresponsible for committing the changes in a snapshot image back into the backing file and thebacking chain is now kept at a more manageable length.

BZ#772290Previously, the automatically allocated ports for the SPICE and VNC protocols started on theport number 5900. With this update, the starting port for SPICE and VNC is configurable byusers.

BZ#789327The QEMU guest and the media of CD_ROM or Floppy could be suspended or resumed insidethe guest directly instead of using the libvirt API. This enhancement improves the libvirtlibrary to support three new events of the QEMU Monitor Protocol (QMP): the SUSPEND, WAKEUP, and DEVICE_TRAY_MOVED event. These events let a management application knowthat the guest status or the tray status has been changed:

when the SUSPEND event is emitted, the domain status is changed to pmsuspended;

when the WAKEUP event is emitted, the domain status is changed to running;

when the DEVICE_TRAY_MOVED event is emitted for a disk device, the current tray statusfor the disk is reflected to the libvirt XML file, so that management applications do notstart the guest with the medium inserted while the medium has been previously ejectedinside the guest.


256





BZ#804 74 9The QEMU process emulator now supports TSC-Deadline timer mode for guests that arerunning on the Intel 64 architecture. This enhancement improves the libvirt library with thisfeature's flag to stay synchronized with QEMU.

BZ#805071Previously, it was impossible to move a guest's network connection to a different networkwithout stopping the guest. In order to change the connection, the network needed to becompletely detached from the guest and then re-attached after changing the configuration tospecify the new connection. With this update, it is now possible to change a guest's interfacedefinition to specify a different type of interface, and to change the network or bridge name orboth, all without stopping or pausing the guest or detaching its network device. From the point ofview of the guest, the network remains available during the entire transition; if the move requiresa new IP address, that can be handled by changing the configuration on the guest, or byrequesting that it renews its DHCP lease.

BZ#80524 3When connecting to the libvirt library, certain form of authentication could be required and ifso, interactive prompts were presented to the user. However, in certain cases, the interactiveprompts cannot be used, for example when automating background processes. Thisenhancement improves libvirt to use the auth.conf file located in the $HOME/.libvirt/directory to supply authentication credentials for connections. As a result, these credentials arepre-populated, thus avoiding the interactive prompts.

BZ#805654This enhancement improves libvirt to support connection of virtual guest network devicesto Open vSwitch bridges, which provides a more fully-featured replacement for the standardLinux Host Bridge. Among other features, Open vSwitch bridges allow setting more connectionsto a single bridge, transparent VLAN tagging, and better management using the Open Flowstandard. As a result, libvirt is now able to use an already existing Open vSwitch bridge,either directly in the interface definition of a guest, or as a bridge in a libvirt network.Management of the bridge must be handled outside the scope of libvirt, but guest networkdevices can be attached and detached, and VLAN tags and interface IDs can be assigned on aper-port basis.

BZ#818996Certain users prefer to run minimal configurations for server systems and do not needgraphical or USB support. This enhancement provides a new feature that allows users todisable USB and graphic controllers in guest machines.

BZ#820808, BZ#826325With this enhancement, the virsh dump command is now supported for domains withpassthrough devices. As a result, these domains can be dumped with an additional --memory-only option.

BZ#822064The libvirt library has already supported pinning and limiting QEMU threads associated withvirtual CPUs, but other threads, such as the I/O thread, could not be pinned and limited


257





separately. This enhancement improves libvirt to support pinning and limiting of both CPUthreads and other emulator threads separately.

BZ#822589This enhancement improves the libvirt library to be able to configure Discretionary AccessControl (DAC) for each domain, so that certain domains can access different resources.

BZ#822601Previously, only the “system instance” of the libvirtd daemon, that is the one that is runningas the root user, could set up a guest network connection using a tap device and host bridge. A“session instance”, that is the one that is running as a non-root user, was only able to useQEMU's limited “user mode” networking. User mode network connection have severallimitations; for example, they do not allow incoming connections, or ping in either direction, andare slower than a tap-device based network connection. With this enhancement, libvirt hasbeen updated to support QEMU's new SUID “network helper”, so that non-privileged libvirtusers are able to create guest network connections using tap devices and host bridges. Userswho require this behavior need to set the interface type to bridge in the virtual machine'sconfiguration, libvirtd then automatically notices that it is running as a non-privileged user,and notifies QEMU to set up the network connection using its “network helper”.

Note

This feature is only supported when the interface type is bridge, and does not workwith the network interface type even if the specified network uses a bridge device.

BZ#82264 1Previously, core dumps for domains with a large amount of memory were unnecessarily huge.With this update, a new dumpCore option has been added to control whether guest's memoryshould be included in a core dump. When this option is set to off, core dumps are reduced bythe size of the guest's memory.

BZ#831099This enhancement allows the libvirt library to set the World Wide Name (WWN), whichprovides stable device paths, for IDE and SCSI disks.

BZ#8364 62This enhancement adds the possibility to control the advertising of S3 (Suspend-to-RAM) andS4 (Suspend-to-Disk) domain states to a guest. As a result, supported versions of QEMU canbe configured to not advertise its S3 or S4 capability to a guest.

BZ#838127With this update, support for the AMD Opteron G5 processor model has been added to the libvirt library. This change allows the user to utilize the full potential of new features, suchas 16c, fma, and tbm .

BZ#84 3087


258


This enhancement adds support for the next generation Intel Core and Intel Xeon processorsto the libvirt library. The next generation supports the following features: fma, pcid, movbe, fsgsbase, bmi1, hle, avx2, smep, bmi2, erms, invpcid, and rtm , compared tothe previous Intel Xeon Processor E5-XXXX and Intel Xeon Processor E5-XXXX V2 family ofprocessors.

BZ#84 4 4 04When changing the configuration of a libvirt virtual network, it was necessary to restart thenetwork for these changes to take effect. This enhancement adds a new virsh net-updatecommand that allows certain parts of a network configuration to be modified, and the changes tobe applied immediately without requiring a restart of the network and disconnecting of guests.As a result, it is now possible to add static host entries to and remove them from a network'sdhcp section; change the range of IP addresses dynamically assigned by the DHCP server;modify, add, and remove portgroup elements; and add and remove interfaces from a forwardelement's pool of interfaces, all without restarting the network. Refer to the virsh(1) manpage for more details about the virsh net-update command.

BZ#860570With this enhancement, the virsh program supports the --help option for all its commandsand displays appropriate documentation.

BZ#864 606With this enhancement, the libvirt library can now control the hv_relaxed feature. Thisfeature makes a Windows guest more tolerant to long periods of inactivity.

BZ#874 171Current release of the libvirt library added several capabilities related to snapshots. Amongthese was the ability to create an external snapshot, whether the domain was running or wasoffline. Consequently, it was also necessary to improve the user interface to support thosefeatures in the virsh program. With this update, these snapshot-related improvements wereadded to virsh to provide full support of these features.

BZ#878578For security reasons, certain SCSI commands were blocked in a virtual machine. This behaviorwas related to applications where logical unit numbers (LUNs) of SCSI disks were passed totrusted guests. This enhancement improves libvirt to support a new sgio attribute. Settingthis attribute to unfiltered allows trusted guests to invoke all supported SCSI commands.

All users of libvirt are advised to upgrade to these updated packages, which fix these issues and addthese enhancements. After installing the updated packages, the libvirtd daemon must be restartedusing the service libvirtd restart command for this update to take effect.

6.129. libwacom

6.129.1. RHEA-2013:0333 — libwacom enhancement updateUpdated libwacom packages that add one enhancement are now available for Red Hat Enterprise Linux


259



6.

The libwacom packages contain a library that provides access to a tablet model database. The libwacompackages expose the contents of this database to applications, allowing for tablet-specific userinterfaces. The libwacom packages allow the GNOME tools to automatically configure screen mappingsand calibrations, and provide device-specific configurations.

Enhancement

BZ#857073Previously, the Wacom Cintiq 22HD graphics tablet was not supported by the libwacom library.Consequently, this specific type of graphics tablet was not recognized by the system. Thisupdate adds the support for Wacom Cintiq 22HD, which can be now used without complications.

All users of libwacom are advised to upgrade to these updated packages, which add this enhancement.

6.130. lldpad

6.130.1. RHBA-2013:0414 — lldpad bug fix and enhancement updateUpdated lldpad packages that fix multiple bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The lldpad packages provide the Linux user space daemon and configuration tool for Intel's Link LayerDiscovery Protocol (LLDP) agent with Enhanced Ethernet support.


The lldpad packages have been upgraded to upstream version 0.9.45, which provides a numberof bug fixes and enhancements over the previous version. In particular, a new subpackage,lldpad-libs, has been introduced. It contains the liblldp_clif shared library which provides an easyway for applications to talk to the LLDPAD daemon (lldpad). (BZ#819938)

Bug Fixes

BZ#818598Previously, LLDPAD did not listen to multicast MAC addresses. Consequently, it could notgather information from locally connected bridges and lldptool displayed the wrong information.A patch has been applied to enable monitoring of broadcast MAC addresses and users cannow display the correct information about locally connected bridges.

BZ#824 188Previously, dcbtool commands could, under certain circumstances, fail to enable the FibreChannel over Ethernet (FCoE) application type-length-values (TLV) for a selected interfaceduring the installation process. Consequently, various important features might have not beenenabled (for example priority flow control, or PFC) by the Data Center Bridging Exchange(DCBX) peer. To prevent such problems, application-specific parameters (such as the FCoEapplication TLV) in DCBX are now enabled by default.


260


BZ#829857Previously, an error in the DCBX (Data Center Bridging Exchange) version selection logic couldcause LLDPDUs (Link Layer Discovery Protocol Data Units) to be not encoded in the TLV(Type-Length Value) format during the transition from IEEE DCBX to the legacy DCBX mode.Consequently, link flaps, a delay, or a failure in synchronizing up DCBX between the host and apeer device could occur. In the case of booting from a remote FCoE (Fibre-Channel OverEthernet) LUN (Logical Unit Number), this bug could result in a failure to boot. This update fixesthe bug and TLV is now always used in the described scenario.

BZ#870576When none of the user priority attributes were PFC (Priority-based Flow Control) enabled,attempting to query the currently configured LocalAdminParam values for the "enabled"parameter produced the message "End of LLDPDU TLV". An upstream patch has been appliedand now the lldptool utility returns "none" as expected in the scenario described.

BZ#870578Previously, when a peer removed a TLV (ETS, PFC, or APP) the 802.1Qaz module did notupdate the local MIB. Consequently, this resulted in the old peer data persisting even though itwas no longer in the received PDU. This update resolves the problem by clearing the local MIBeven in the case of a NULL PTR indicating that no MIB was received. As a result, theoperational status for PFC reverts to the localAdminParams settings as expected in thescenario described.

Enhancement

BZ#738897This update adds support for the IEEE 802.1Qbg standard over bonded interfaces. Users cannow take full advantage of 802.1Qbg capabilities.

All users of lldpad are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.131. lm_sensors

6.131.1. RHBA-2012:1309 — lm_sensors bug fixesUpdated lm_sensors packages that fix three bugs are now available for Red Hat Enterprise Linux 6.

The lm_sensors packages provide a set of modules for general SMBus access and hardwaremonitoring.

Bug FixesBZ#610000, BZ#623587

Prior to this update, the sensors-detect script did not detect all GenuineIntel CPUs. As aconsequence, lm_sensors did not load coretemp module automatically. This update uses amore generic detection for Intel CPUs. Now, the coretemp module is loaded as expected.

BZ#768365


261



Prior to this update, the sensors-detect script reported an error when running without user-defined input. This behavior had no impact on the function but could confuse users. Thisupdate modifies the underlying code to allow for the sensors-detect script to run without user.

All users of lm_sensors are advised to upgrade to these updated packages, which fix these bugs.

6.132. logrotate

6.132.1. RHBA-2012:1172 — logrotate bug fix updateUpdated logrotate packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The logrotate utility simplifies the administration of multiple log files, allowing the automatic rotation,compression, removal, and mailing of log files.

Bug FixBZ#827570

Attempting to send a file to a specific e-mail address failed if the "mailfirst" and"delaycompress" options were used at the same time. This was because logrotate searchedfor a file with the "gz" suffix, however the file had not yet been compressed. The underlyingsource code has been modified, and logrotate correctly finds and sends the file under thesecircumstances.

All users of logrotate are advised to upgrade to these updated packages, which fix this bug.

6.133. lohit-telugu-fonts

6.133.1. RHBA-2012:1212 — lohit-telugu-fonts bug fix updateAn updated lohit-telugu-fonts package that fixes one bug is now available for Red Hat Enterprise Linux 6.

The lohit-telugu-fonts package provides a free Telugu TrueType/OpenType font.

Bug FixBZ#64 0610

Due to a bug in the lohit-telugu-fonts package, four certain syllables were rendering incorrectly.This bug has been fixed and these syllables now render correctly.

All users of lohit-telugu-fonts are advised to upgrade to this updated package, which fixes this bug.

6.134. luci

6.134.1. RHBA-2013:0309 — luci bug fix and enhancement updateUpdated luci packages that fix several bugs and add various enhancements are now available for RedHat Enterprise Linux 6.


262





The luci packages contain a web-based high-availability cluster configuration application.

Bug Fixes

BZ#80734 4Previously, the resource and service names in the /etc/cluster/cluster.confconfiguration file that contained non-standard characters, like hash (#), question mark (?), orslash (/), were not properly handled by the luci application. Consequently, when processingsuch configuration file, luci failed with the following message:

Error 500We're sorry but we weren't able to process this request.

This bug has been fixed, and luci now handles resources and services whose names containthe aforementioned characters without complications.

BZ#815666When the fence instance was configured with the delay attribute in the /etc/cluster/cluster.conf file, the luci application ignored the subsequently enabled unfence instance that was configured without the delay attribute. The unfence status wasincorrectly displayed as disabled in the luci interface, but unfencing was performed withoutcomplications. With this update, the underlying source code has been modified to address thisissue. As a result, unfence is now properly reported in luci.

BZ#826951Previously, it was possible to create a fencing device with an invalid name (starting with anumber) using the luci application. The device was successfully created, but the /etc/cluster/cluster.conf file did not pass the schema validation check. The bug hasbeen fixed, and a warning message is now displayed to prevent users from setting invaliddevice names in the /etc/cluster/cluster.conf file.

BZ#853151Previously, certain errors related to the communication between the luci and ricciapplications could have been dropped without notification to the user. Also, the followingmessage could occur in the /var/log/luci/luci.log file:

No object (name: translator) has been registered for this thread

With this update, this behavior has been modified and the described errors are now properlywritten to the log file.

BZ#856253Prior to this update, a double click on the Connect button in the Add Existing Cluster dialogwindow led to listing the cluster twice. With this update, the underlying source code has beenmodified to address this issue, and the cluster is now listed only once regardless of how manytimes the Connect button was pressed.

BZ#86004 2Previously, when attempting to create a service that referenced the same global resource twice,


263




the luci application terminated unexpectedly with the following message:

A resource named "<name>" already exists

This bug has been fixed, and luci now accepts multiple references inside a service group.

BZ#877188Previously, the luci application allowed the max_restarts, __max_restarts, and __max_failures variables to be set without setting their corresponding timeout variables(restart_expire_time, __restart_expire_time, __failure_expire_time), and inthe opposite way. This behavior has been changed, and an error is now issued in case thecorresponding variables are not set.

BZ#877392When the self_fence property was enabled using the luci interface, the corresponding entry inthe /etc/cluster/cluster.conf file was written incorrectly. A value was assigned in theform of self_fence="on" instead of self_fence="1" or self_fence="yes".Consequently, fencing actions failed. The bug has been fixed, and self_fence is now assignedwith the correct value. As a result, fencing now works properly when enabled with luci.

BZ#881796Certain previous versions of Microsoft Internet Explorer incorrectly processed JavaScript filescontaining trailing commas. Consequently, several dialog windows of the luci interface wereaffected. With this update, the trailing commas have been removed from luci JavaScript files toassure proper luci functionality in older versions of Microsoft Internet Explorer.

BZ#881955Prior to this update, resource and service attributes that accept boolean input did not useconsistent values to denote enabled or disabled status. The accepted values were: 1 or 0, onor off, yes or no, true or false. With this update, only the values 1 or 0 are accepted inattributes that use boolean input.

BZ#882995Previously, after renaming a fencing device with an enabled unfence option, this unfenceinstance was not updated with the new name and referred to a non-existent device. This bughas been fixed, and an unfence reference is now correctly updated when a fencing devicewas renamed.

BZ#886678Prior to this update, the luci resource template searched for the oracletype attribute insteadof type when processing the /etc/cluster/cluster.conf file. Consequently, the oracledbattribute was always displayed as Default in the luci interface, regardless of its actualassigned value. This bug has been fixed, and oracletype type is now correctly displayed byluci.

Enhancements


264





BZ#74 0867With this update, support for the IBM iPDU fence device has been added to the luci application.

BZ#809892With this update, a new user table has been added to the Admin/User and Permissionspages of the luci interface. It is now possible to remove users from luci.

BZ#821928With this update, support for configuring the privlvl (privilege level) attribute used by thefence_ipmilan fencing agent has been added to the luci application. As a result, privlvl cannow be successfully configured by luci.

BZ#822502With this update, support for the nfsrestart option for the file system and cluster file systemresource agents has been added to the luci application. This option provides a way toforcefully restart NFS servers and allow a clean unmount of an exported file system.

BZ#865300This update adds the fence_eaton agent to support Eaton ePDU (Enclosure PowerDistribution Unit) devices in Red Hat Enterprise Linux 6, into the luci package.

BZ#865533With this update, an interface for configuring and displaying the fence_hpblade fence deviceshas been added to the luci application.

Users of luci are advised to upgrade to these updated packages, which fix these bugs and add theseenhancements.

6.135. lvm2

6.135.1. RHBA-2013:0501 — lvm2 bug fix and enhancement updateUpdated lvm2 packages that fix several bugs and add various enhancements are now available for RedHat Enterprise Linux 6.

The lvm2 packages provide support for Logical Volume Management (LVM).

Bug fixes

BZ#837927When creating a RAID Logical Volume, if the --regionsize(-R) option (used with the lvcreate command) was not specified, LVs larger than 2 TB could not be created orextended. Consequently, creating or extending such volumes caused errors. With this update,the region size is automatically adjusted upon creation or extension and large LVs can now becreated.

BZ#834 703


265






Extending a RAID 4/5/6 Logical Volume failed to work properly because the parity devices werenot properly accounted for. This has been corrected by covering the "simple" case where theLV is extended with the same number of stripes as the original (reducing or extending a RAID4/5/6 LV with different number of stripes is not implemented yet). As a result, it is now possibleto extend a RAID 4/5/6 Logical Volume.

BZ#832392When the issue_discards=1 configuration option was used or configured in the /etc/lvm/lvm.conf file, moving Physical Volumes via the pvmove command resulted indata loss. The problem has been fixed with this update.

BZ#713599, BZ#800801Device-mapper devices (including LVM devices) were not deactivated at system shutdown orreboot. Consequently, when device-mapper devices were layered on the top of other blockdevices and these were detached during the shutdown or reboot procedure, any further accessto the device-mapper devices ended up with either I/O errors or an unresponsive system as theunderlying devices were unreachable (for example iSCSI or FCoE devices). With this update, anew blkdeactivate script along with blk-availability shutdown script have beenprovided. These scripts unmount and deactivate any existing device-mapper devices beforedeactivating and detaching the underlying devices on shutdown or reboot. As a result, there areno I/O errors or hangs if using attached storage that detaches itself during the shutdown orreboot procedure.

BZ#619574An LVM mirror can be created with three different types of log devices: core (in-memory), disk,and mirrored. The mirrored log is itself redundant and resides on two different PhysicalVolumes. Previously, if both devices composing the mirror log were lost, they were not alwaysproperly replaced during repair, even if spare devices existed. With this update, a mirrored logis properly replaced with a mirrored log if there are sufficient replacement PVs.

BZ#832120, BZ#74 3505A mirror Logical Volume can itself have a mirrored log device. When a device in an image of themirror and its log failed at the same time, it was possible for unexpected I/O errors to appear onthe mirror LV. The kernel did not absorb the I/O errors from the failed device by relying on theremaining device. This bug then caused file systems built on the device to respond to the I/Oerrors (turn read-only in the case of the ext3/4 file systems). The cause was found to be thatthe mirror was not suspended for repair using the noflush flag. This flag allows the kernel tore-queue I/O requests that need to be retried. Because the kernel was not allowed to re-queuethe requests, it had no choice but to return the I/O as errored. This bug has been corrected byallowing the log to be repaired first, thus, the top-level mirror's log can be completedsuccessfully. As a result, the mirror is now properly suspended with the noflush flag.

BZ#803271When using the lvmetad daemon (global/use_lvmetad=1 LVM2 configuration option)while processing LVM2 commands in a cluster environment (global/locking_type=3), theLVM2 commands did not work correctly and issued various error messages. With this update, ifclustered locking is set, the lvmetad daemon is disabled automatically as this configuration isnot yet supported with LVM2. As a result, there is now a fallback to non-lvmetad operation inLVM2, if clustered locking is used and a warning message is issued:


266







WARNING: configuration setting the use_lvmetad parameter overriden to 0 due to the locking_type 3 parameter. Clustered environment is not supported by the lvmetad daemon yet.

BZ#855180When the user tried to convert a thin snapshot volume into a read-only volume, internal errormessages were displayed and the operation failed. With this update, thin snapshot volumescan be converted to read-only mode. Also for the conversion of the thin pool to read-only mode,en explicit error message about an unsupported feature is added.

BZ#801571Previously, if a device failed while a RAID Logical Volume was not in-sync, any attempts to fix itfailed. This case is now handled, however the following limitations are to be noted:

1. The user cannot repair or replace devices in a RAID Logical Volume that is not active.The tool (the lvconvert -repair command) must know the sync status of the arrayand can only get that when the array is active.

2. The user cannot replace a device in a RAID Logical Volume that has not completed itsinitial synchronization. Doing so would produce unpredictable results and is thereforedisallowed.

3. The user can repair a RAID Logical Volume that has not completed its initialsynchronization, but some data may not be recoverable because it had not had time tomake that data fully redundant. In this case, a warning is printed and the user is queried ifthey would like to proceed.

BZ#871058A race condition in the lvmetad daemon occasionally caused LVM commands to failintermittently, failing to find a VG that was being updated at the same time by another command.With this update, the race condition does no longer occur.

BZ#857554If the issue_discards option was enabled in the configuration file and the lvremovecommand ran against a partial Logical Volume where Physical Volumes were missing, the lvremove command terminated unexpectedly. This bug has been fixed. Also, the new pattribute in the LVS command output is set when the Logical Volume is partial.

BZ#820116Previously, when there was a Physical Volume in the Volume Group with zero Physical Extents(PEs), so the Physical Volume was used to store metadata only, the vgcfgrestore commandfailed with a "Floating point exception" error, because the command attempted to divide by zero.A proper check for this condition has been added to prevent the error and now, after using the vgcfgrestore command, VG metadata is successfully written.

BZ#820229Previously, when attempting to rename thin Logical Volumes, the procedure failed with thefollowing error message:


267







"lvrename Cannot rename <volume_name>: name format not recognized for internal LV <pool_name>"

This bug is now fixed and the user can successfully rename thin Logical Volumes.

BZ#84 354 6Previously, it was not possible to add a Physical Volume to a Volume Group if a device failureoccurred in a RAID Logical Volume and there were no spare devices in the VG. Therefore userscould not replace the failed devices in a RAID LV and the VG could not be made consistentwithout physically editing LVM metadata. It is now possible to add a PV to a VG with missing orfailed devices and to replace failed devices in a RAID LV with the lvconvert --repair <vg>/<LV> command.

BZ#855398An improper restriction placed on mirror Logical Volumes caused them to be ignored duringactivation. Users were unable to create Volume Groups on top of clustered mirror LV and couldnot recursively stack cluster VG. The restriction has been refined to pass over mirrors thatcause LVM commands to block indefinitely and it is now possible to layer clustered VG onclustered mirror LV.

BZ#865035When a device was missing from a Volume Group or Logical Volume, tags could not be addedor removed from the LV. If the activation of an LV was based on tagging using the volume_listparameter in the configuration file (lvm.conf), the LV could not be activated. This affectedHigh Availability LVM (HA-LVM) and without the ability to add or remove tags while a device wasmissing, RAID LVs in HA-LVM configuration could not be used. This update allows vgchangeand lvchange to alter the LVM metadata for a limited set of options while PVs are missing.The "- --[add|del]" tag is included and the set of allowable options do not cause changes to thedevice-mapper kernel target and do not alter the structure of the LV.

BZ#84 5269When an LVM command encountered a response problem with the lvmetad daemon, thecommand could cause the system to terminate unexpectedly with a segmentation fault.Currently, LVM commands work properly with lvmetad and crashes no longer occur even ifthere is a malformed response from lvmetad.

BZ#823918A running LVM process could not switch between the lvmetad daemon and non-lvmetadmodes of operation and this caused the LVM process to terminate unexpectedly with asegmentation fault when polling for the result of running lvconvert operation. With thisupdate, the segmentation fault no longer occurs.

BZ#730289The clvmd daemon consumed a lot of memory resource to process every request. Eachrequest invoked a thread, and by default each thread allocated approximately 9 MB of RAM forstack. To fix this bug, the default thread's stack size has been reduced to 128 KB which isenough for the current version of LVM to handle all tasks. This leads to massive reduction ofmemory used during runtime by the clvmd daemon.


268







BZ#869254Previously, disabling the udev synchronisation caused udev verification to be constantlyenabled, ignoring the actual user-defined setting. Consequently, libdevmapper/LVM2incorrectly bypassed udev when processing relevant nodes. The libdevmapper library hasbeen fixed to honor the actual user's settings for udev verification. As a result, udev workscorrectly even in case the udev verification and udev synchronization are disabled at the sametime.

BZ#832033Previously, when using the lvmetad daemon, passing the --test argument to commandsoccasionally caused inconsistencies in the lvmetad cache that lvmetad maintains.Consequently, disk corruption occurred when shared disks were involved. An upstream patchhas been applied to fix this bug.

BZ#87024 8Due to a missing dependency on the device-mapper-persistent-data thin pool devices were notmonitored on activation. Consequently, unmonitored pools could overfill the configuredthreshold. To fix this bug, the code path for enabling monitoring of thin pool has been fixed andthe missing package dependency added. As a result, when monitoring for thin pool isconfigured, the dmeventd daemon is enabled to watch for pool overfill.

BZ#836653A failed attempt to reduce the size of a Logical Volume was sometimes not detected and the lvremove command exited successfully even though it had failed to operate the LV. With thisupdate, lvremove returns the right exit code in the described scenario.

BZ#836663When using a Physical Volume (PV) that contained ignored metadata areas, an LVM command,such as pvs, could incorrectly display the PV as being an orphan due to the order ofprocessing individual PV in the VG. With this update, the processing of PVs in a VG has beenfixed to properly account for PVs with ignored metadata areas so that the order of processing isno longer important, and LVM commands now always give the same correct result, regardlessof PVs with ignored metadata areas.

BZ#837599Issuing the vgscan --cache command (to refresh the lvmetad daemon) did not removedata about Physical Volumes or Volume Groups that no longer existed — it only updatedmetadata of existing entities. With this update, the vgscan --cache command removes allmetadata that are no longer relevant.

BZ#862253When there were numerous parallel LVM commands running, the lvmetad daemon coulddeadlock and cause other LVM commands to stop responding. This behavior was caused by arace condition in lvmetad's multi-threaded code. The code has been improved and now theparallel commands succeed and no deadlocks occur.


269








BZ#839811Previously, the first attribute flag was incorrectly set to S when an invalid snapshot occurred,whereas this value in the first position is supposed to indicate a merging snapshot. Invalidsnapshot is normally indicated by capitalizing the fifth Logical Volume attribute character. Thisbug has been fixed and the lvs utility no longer capitalizes the first LV attribute character forinvalid snapshots but the fifth, as required.

BZ#84 2019Previously, it was possible to specify incorrect arguments when creating a RAID Logical Volume,which could harmfully affect the created device. These inappropriate arguments are no longerallowed.

BZ#839796Due to incorrect handling of sub-Logical-Volumes (LVs), the pvmove utility was inconsistentand returned a misleading message for RAID. To fix this bug, pvmove has been disallowedfrom operating on RAID LVs. Now, if it is necessary to move a RAID LV's components from onedevice to another, the lvconvert --replace <old_pv> <vg>/<lv> <new_pv>command is used.

BZ#836381The kernel does not allow adding images to a RAID Logical Volume while the array is notsynchronized. Previously, the LVM RAID code did not check whether the LV was synchronized.As a consequence, an invalid request could be issued, which caused errors. With this update,the aforementioned condition is checked and the user is now informed that the operation cannottake place until the array is synchronized. The kernel does not allow to add additional images toa RAID Logical Volume when the array is not synchronized. Previously, the LVM RAID code didnot check whether the LV was in synchronized condition, which could have caused invalidrequests. With this update, LVM RAID has been modified to check for the aforementionedcondition and the user is now informed in case the operation is stopped due to unsynchronizedarray.

BZ#855171, BZ#855179Prior to this update, the conversion of a thin pool into a mirror resulted in an aborting errormessage. As this conversion is not supported, an explicit check which prohibits this conversionbefore the lvm utility attempts to perform it has been added. Now, the error message returnsan explicit error message stating that the feature is not supported.

BZ#82224 8Prior to this update, RAID Logical Volumes could become corrupted if they were activated in aclustered Volume Group. To fix this bug, a VG is no longer allowed to be changed to a clusteredVG if there are RAID LVs in a VG.

BZ#82224 3Previously, it was possible to create RAID Logical Volumes in a clustered Volume Group. AsRAID LVs are not cluster capable and activating them in a cluster could cause data damage, theability to create RAID LVs in a cluster has been disabled.

BZ#821007


270










Previously, if no last segment on an pre-existing Logical Volume was defined, the normal clingallocation policy was applied and an LV could be successfully created or extended even thoughthere was not enough space on a single Physical Volume and no additional PV was defined inthe lvm.conf file. This update corrects the behavior of the cling allocation policy and anyattempts to create or extend an LV under these circumstances now fail as expected.

BZ#814 782The interaction of LVM filters and lvmetad could have lead to unexpected and undesirableresults. Also, updates to the "filter" settings while the lvmetad daemon was running did notforce lvmetad to forget the devices forbidden by the filter. Since the normal "filter" setting inthe lvm.conf file is often used on the command line, a new option has been added to lvm.conf (global_filter) which also applies to lvmetad. The traditional "filter" settings onlyapplies at the command level and does not affect device visibility to lvmetad. The options aredocumented in more detail in the example configuration file.

BZ#814 777Prior to this update, the lvrename utility did not work with thin provisioning (pool, metadata, orsnapshots) correctly. This bug has been fixed by implementing full support for stacked devices.Now, lvrename handles all types of thin Logical Volumes as expected.

BZ#8614 56When creating a Logical Volume using the lvcreate command with the --thinpool and --mirror options, the thinpool flag was ignored and a regular Logical Volume was created.With this update, use of the --thinpool option with the --mirror option is no longerallowed and the lvcreate command fails with a proper error message under thesecircumstances.

BZ#86184 1Previously, the lvm_percent_to_float() function declared in the lvm2app.h header filedid not have an implementation in the lvm2app library. Any program, which tried to use thisfunction, failed at linking time. A patch for lvm2app.h has been applied to fix this bug and lvm_percent_to_float() now works as expected.

BZ#813766Prior to this update, the LVM utilities returned spurious warning messages during the bootprocess, if the use_lvmetad = 1 option was set in the lvm.conf file. This has been fixedand warning messages are no longer issued during boot.

BZ#862095Due to the unimplemented <data_percent> property for the lvm2app library, incorrect value-1 was returned for thin volumes. This bug has been fixed by adding proper support for the lvm_lv_get_property(lv, <data_percent>) function. Now, lvm2app returns correctvalues.

BZ#870534Due to a wrong initialization sequence, running an (LVM) command caused the LVM utility to


271








abort instead of proceeding with scanning-based metadata discovery (requested by using the --config "global{use_lvmetad=0"} option). This bug occurred only when an LVMcommand was run with lvmetad cache daemon running. The bug has been fixed and LVM nolonger aborts.

BZ#8634 01Previously, the pvscan --cache command failed to read part of LVM1 metadata. As aconsequence, when using LVM1 (legacy) metadata and the lvmetad daemon together, LVMcommands could run into infinite loops when invoked. This bug has been fixed and LVM1 and lvmetad now work together as expected.

BZ#863881Due to the missing lvm2app library support, incorrect values for thin snapshots origin fieldwere reported. A patch has been updated to return the correct response to the lvm_lv_get_property(lv, "origin") function.

BZ#865850Previously, the degree to which RAID 4/5/6 Logical Volumes had completed their initial arraysynchronization (i.e. initial parity calculations) was not printed in the lvs command output. Thisinformation is now included under the heading that has been changed from Copy% to Cpy%Sync. Users can now request the Cpy%Sync information directly via lvs with either the lvs -o copy_percent or the lvs -o sync_percent option.

BZ#64 4 752Previously, when using Physical Volumes, the exclusive lock was held to prevent other PVscommands to run concurrently in case any Volume Group metadata needed to be read inaddition. This is not necessary anymore when using lvmetad as lvmetad caches VGmetadata and thus avoids taking the exclusive lock. As a consequence, numerous PVscommands reading VG metadata can be run in parallel without the need for the exclusive lock.

BZ#833180Attempting to convert a linear Logical Volume to a RAID 4/5/6 Logical Volume is not allowed.When the user tried to execute this operation, a message indicating that the original LV hadbeen striped instead of linear, was returned. The messages have been updated toprovide correct information and only messages with correct and relevant content are nowreturned under these circumstances.

BZ#837114Previously, an attempt to test the create command of a RAID Logical Volume resulted in failureeven though the process itself succeeded without the --test argument of the command. Withthis update, a test run of the create command now properly indicates success if the commandis successful.

BZ#837098Previously, a user-instantiated resynchronization of a RAID Logical Volume failed to cause theRAID LV to perform the actual resynchronization. This bug has been fixed and the LV nowperforms the resynchronization as expected.


272








BZ#837093When a RAID or mirror Logical Volume is created with the --nosync option, an attribute withthis information is attached to the LV. Previously, a RAID1 LV did not clear this attribute whenthe LV was converted to a linear LV and back, even though it underwent a completeresynchronization in the process. With this update, --nosync has been fixed and the attributeis now properly cleared after the LV conversion.

BZ#836391Due to an error in the code, user-initiated resynchronization of a RAID Logical Volume wasineffective. With this update, the lvchange --resync command has been added on a RAIDLV, which makes the LV undergo complete resynchronization.

BZ#885811Previously, an error in the Volume Group (VG) auto-activation code could cause LVMcommands to terminate unexpectedly with the following message:

Internal error: Handler needs existing VG

With this update, cached VG metadata are used instead of relying on an absent MDA content ofthe last discovered PV. As a result, the aforementioned error no longer occurs.

BZ#885993Prior to this update, testing the health status of the mirror utility caused a minor memory leak.To fix this bug, all resources taken in the function have been released, and memory leaks forlongterm living processes (such as the dmeventd daemon) no longer occur.

BZ#887228Previously, a nested mutex lock could result in a deadlock in the lvmetad daemon. As aconsequence, Logical Volume Manager (LVM) commands trying to talk to lvmetad becameunrepsonsive. The nested lock has been removed, and the deadlock no longer occurs.

BZ#877811Previously, the lvconvert utility handled the -y and -f command line options inconsistentlywhen repairing mirror or RAID volumes. Whereas the -f option alone worked correctly, whenused along with the -y option, the -f option was ignored. With this update, lvconverthandles the -f option correctly as described in the manual page.

BZ#860338When Physical Volumes were stored on read-only disks, the vgchange -ay command failedto activate any Logical Volumes and the following error message was returned:

/dev/dasdf1: open failed: Read-only file systemdevice-mapper: reload ioctl failed: Invalid argument1 logical volume(s) in volume group "v-9c0ed7a0-1271-452a-9342-60dacafe5d17" now active

However, this error message did not reflect the nature of the bug. With this update, the


273








command has been fixed and Volume Group can now be activated on a read-only disk.

BZ#832596An error in the space allocation logic caused Logical Volume creation with the --alloc anywhere option to occasionally fail. RAID 4/5/6 systems were particularly affected. The bugwas fixed to avoid picking already-full areas for RAID devices.

Enhancements

BZ#783097Previously, the device-mapper driver UUIDs could have been used to create the /devcontent with the udev utility. If mangling was not enabled, udev created incorrect entries forUUIDs containing unsupported characters. With this update, character-mangling support in the libdevmapper library and the dmsetup utility for characters not on the udev-supportedwhitelist has been enhanced to process device-mapper UUIDs the same way as device-mapper names are. The UUIDs and names are now always controlled by the same manglingmode, thus the existing --manglename dmsetup option affects UUIDs as well. Furthermore,the dmsetup info -c -o command has new fields to display: mangled_uuid and unmangled_uuid.

BZ#817866, BZ#621375Previously, users had to activate Volume Groups and Logical Volumes manually by calling vgchange/lvchange -ay on the command line. This update adds the autoactivation feature,LVM2 now lets the user specify precisely which Logical Volumes should be activated at boottime and which ones should remain inactive. Currently, the feature is supported only on non-clustered and complete VGs. Note that to activate the feature, lvmetad must be enabled(global/use_lvmetad=1 LVM2 configuration option).

BZ#8694 02The manual page for the lvconvert utility has been updated with new supported options forconversion of existing volumes into a thin pool.

BZ#814 732Previously, the user could not specify conversion of an Logical Volume already containing poolinformation ("pre-formatted LV") into a legitimate thin pool LV. Furthermore, it was rathercomplex to guide the allocation mechanism to use proper Physical Volumes (PVs) for data andmetadata LV. As the lvconvert utility is easier to use in these cases, lvconvert has beenenhanced to support conversion of pre-formatted LVs into a thin pool volume. With the --thinpool data_lv_name and --poolmetadata metadata_lv_name options, the usermay use a pre-formatted LV to construct a thin pool as with the lvcreate utility.

BZ#636001A new optional metadata caching daemon (lvmetad) is available as part of this LVM2 update,along with udev integration for device scanning. Repeated scans of all block devices in thesystem with each LVM command are avoided if the daemon is enabled. The original behaviorcan be restored at any time by disabling lvmetad in the lvm.conf file.


274






BZ#814 766Previously, no default behavior could be used to fine-tune performance of some workloads.Now, the thin pool support has been enhanced with configurable discards support. The usermay now select from three types of behavior: passdown is default and allows to pass-throughdiscard requests to the thin pool backing device; nopassdown processes allows discards onlyon the thin pool level and requests are not passed to the backing device; ignore allowsignoring of discard request.

BZ#84 4 4 92LVM support for 2-way mirror RAID10 has been added. LVM is now able to create, remove, andresize RAID10 Logical Volumes. To create a RAID10 Logical Volume, specify individual RAIDparameters similarly as for other RAID types, like in the following example:

~]# lvcreate --type raid10 -m 1 -i 2 -L 1G -n lv vg

Note that the -m and -i arguments behave in the same way they would for other segmenttypes. That is, -i is the total number of stripes while -m is the number of (additional) copies(that is, -m 1 -i 2 gives 2 stripes on the top of 2-way mirrors).

BZ#86184 3The lvm2app library now reports the data_percent field which indicates how full snapshots,thin pools and volumes are. The Logical Volume needs to be active to obtain this information.

BZ#814 824The thin pool now supports non-power-of-2 chunk size. However, the size must be a multiple of64KiB.

BZ#823660The -l option has been added to the lvmetad daemon to allow logging of wire traffic andmore detailed information on internal operation to the standard error stream. This newfeature is mainly useful for troubleshooting and debugging.

BZ#834 031Previously, it was possible to pass an incorrect argument on the command line when creating aRAID Logical Volume, for example the --mirrors command for RAID5. Consequently,erroneous and unexpected results were produced. With this update, invalid arguments arecaught and reported.

BZ#823667The lvmdump utility has been extended to include a dump of the internal lvmetad daemonstate, helping with troubleshooting and analysis of lvmetad-related problems.

BZ#830250In Red Hat Enterprise Linux 6.4, LVM adds support for Micron PCIe Solid State Drives (SSDs)as devices that may form a part of a Volume Group.


275








BZ#8834 16The DM_DISABLE_UDEV environment variable is now recognized and takes precedence overother existing setting when using LVM2 tools, dmsetup and libdevmapper to fallback to non-udev operation. Setting the DM_DISABLE_UDEV environment variable provides a moreconvenient way of disabling udev support in libdevmapper, dmsetup and LVM2 tools globallywithout a need to modify any existing configuration settings. This is mostly useful if the systemenvironment does not use udev.

BZ#829221Physical Volumes (PV) are now automatically restored from the missing state after they becomereachable again and even if they had no active metadata areas. In cases of transientinaccessibility of a PV, for example with Internet Small Computer System Interface (iSCSI) orother unreliable transport, LVM required manual action to restore a PV for use even if there wasno room for conflict, because there was no active metadata area (MDA) on the PV. With thisupdate, the manual action is no longer required if the transiently inaccessible PV has no activemetadata areas.

Users of lvm2 should upgrade to these updated packages, which fix these bugs and add theseenhancements.

6.136. mailman

6.136.1. RHBA-2012:1474 — mailman bug fix updateUpdated mailman packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.

Mailman is a program used to help manage e-mail discussion lists.

Bug FixesBZ#772998

The reset_pw.py script contained a typo, which could cause the mailman utility to fail with atraceback. The typo has been corrected, and mailman now works as expected.

BZ#799323The "urlhost" argument was not handled in the newlist script. When running the "newlist"command with the "--urlhost" argument specified, the contents of the index archive page wasnot created using proper URLs; the hostname was used instead. With this update, "urlhost" isnow handled in the newlist script. If the "--urlhost" argument is specified on the command line,the host URL is used when creating the index archive page instead of the hostname.

BZ#832920Previously, long lines in e-mails were not wrapped in the web archive, sometimes requiringexcessive horizontal scrolling. The "white-space: pre-wrap;" CSS style has been added to alltemplates, so that long lines are now wrapped in browsers that support that style.

BZ#834 023The "From" string in the e-mail body was not escaped properly. A message containing the"From" string at the beginning of a line was split and displayed in the web archive as two or


276








more messages. The "From" string is now correctly escaped, and messages are no longer splitin the described scenario.

All users of mailman are advised to upgrade to these updated packages, which fix these bugs.

6.137. man-pages-overrides

6.137.1. RHBA-2013:0464 — man-pages-overrides bug fix updateUpdated man-pages-overrides package that fixes several bugs is now available for Red Hat EnterpriseLinux 6.

The man-pages-overrides package provides a collection of manual (man) pages to complement otherpackages or update those contained therein.

Bug Fixes

BZ#80684 5Prior to this update, documentation about SMBIOS on the dmidecode(8) manual page wasunclear. This update fixes the information about SMBIOS on the dmidecode(8) manual page.

BZ#814 4 17Prior to this update, description of the "-SecurityTypes" option in the T igerVNC utility wasmissing in the vncviewer(1) and Xvnc(1) manual pages. This update adds a description to thevncviewer(1) and Xvnc(1) manual pages.

BZ#84 5657Prior to this update, the localalloc option on the numactl(8) manual page was not clearlydescribed. This update adds a clear description of the localalloc option to the numactl(8) utility.

BZ#84 6591Prior to this update, some options were missing from the ipmitool(1) manual page. With thisupdate, all options are described on the ipmitool(1) manual page.

BZ#84 9201Previously, the alsaunmute(1) manual page was missing. This update adds the alsaunmute(1)manual page.

BZ#853959Prior to this update, the "--no-tpm" option was not described in the rngd(8) manual page. Thisupdate adds a description of the "--no-tpm" option.

BZ#867332Prior to this update, the groupmems(8) manual page was missing information about the setuidpermission of the groupmems binary. This update clarifies the setuid permission in thegroupmems(8) manual page.


277







BZ#872526Prior to this update, the dump(8) manual page was missing information about the ext4 filesystem support. This update adds this information to the dump(8) manual page.

Users of man-pages-overrides are advised to upgrade to this updated package, which fixes these bugs.

6.138. man-pages

6.138.1. RHBA-2013:0447 — man-pages bug fix and enhancement updateAn updated man-pages package that fixes numerous bugs and add two enhancements is now availablefor Red Hat Enterprise Linux 6.

The man-pages package provides man (manual) pages from the Linux Documentation Project (LDP).

Bug Fixes

BZ#714 073Prior to this update, a manual page for the fattach() function was missing. This update addsthe fattach(2) manual page.

BZ#714 074Prior to this update, a manual page for the recvmmsg() call was missing. This update addsthe recvmmsg(2) manual page.

BZ#714 075Prior to this update, manual pages for the cciss and hpsa utilities were missing. This updateadds the cciss(4) and hpsa(4) manual pages.

BZ#714 078The host.conf(5) manual page contained a description for the unsupported orderkeyword. This update removes the incorrect description.

BZ#735789Prior to this update, the clock_gettime(2), clock_getres(2), and clock_nanosleep(2) manual pages did not mention the -lrt option. With this update, thedescription of the -lrt option has been added to the aforementioned manual pages.

BZ#74 5152This update adds the description of the single-request-reopen to the resolv.conf(5)manual page.

BZ#74 5501With this update, usage of SSSD in the nsswitch.conf file is now described in the nsswitch.conf(5) manual page.


278










BZ#74 5521With this update, the new UMOUNT_NOFOLLOW flag is described in the umount(2) manualpage.

BZ#74 5733Previously, a manual page for the sendmmsg() function was missing. This update adds the sendmmsg(2) manual page.

BZ#752778Previously, the db(3) manual page was pointing to the non-existent dbopen(3) manual page.When the man db command was issued, the following error message was returned:

fopen: No such file or directory.

With this update, the db(3) manual page is removed.

BZ#77154 0This update adds the missing description of the TCP_CONGESTION socket option to the tcp(7) manual page.

BZ#804 003Descriptions of some socket options were missing in the ip(7) manual page. This updateadds these descriptions to the ip(7) manual page.

BZ#809564Prior to this update, the shmat(2) manual page was missing the description for the EIDRMerror code. With this update, this description has been added to the shmat(2) manual page.

BZ#822317The bdflush(2) system call manual page was missing information that this system call isobsolete. This update adds this information to the bdflush(2) manual page.

BZ#835679The nscd.conf(5) manual page was not listing “services” among valid services. With thisupdate, “services” are listed in the nscd.conf(5) manual page as expected.

BZ#84 0791Previously, the nsswitch.conf(5) manual page lacked information on the searchmechanism, particularly about the notfound status. This update provides an improved manualpage with added description of notfound.

BZ#84 0796Prior to this update, the behavior of the connect() call with the local address set to the INADDR_ANY wildcard address was insufficiently described in the ip(7) manual page.Possible duplication of the local port after the call was not acknowledged. With this update, the


279





documentation has been reworked in order to reflect the behavior of the connect() callcorrectly.

BZ#84 0798Due to the vague description of the getdents() function in the getdents(2) manual page,the risk of using this function directly was not clear enough. The description has been extendedwith a warning to prevent incorrect usage of the getdents() function.

BZ#84 0805The nscd.conf(5) manual page was missing descriptions and contained several duplicateentries. With this update, the text has been clarified and redundant entries have been removed.

BZ#857163Previously, the tzset(3) manual page contained an incorrect interval in the description of thestart and end format for Daylight Saving T ime. Consequently, users thought the number was 1-based rather than 0-based when not using the J option. With this update, the manual page hasbeen corrected. The Julian day can be specified with an interval of 0 to 365 and February 29 iscounted in leap years when the J option is not used.

BZ#857962The description of the /proc/sys/fs/file-nr file in the proc(5) manual page wasoutdated. This update adds the current information to this manual page.

BZ#858278The connect(2) manual page in the Error section listed EAGAIN error code instead of EADDRNOTAVAIL error code. This update amends the manual page with correct information.

Enhancements

BZ#857162An update in the close(2) man page explains the interaction between system calls close()and recv() in different threads.

BZ#85824 0This update adds the description of the --version switch to the zdump(8) manual page.

All users of man-pages are advised to upgrade to this updated package, which fixes these bugs andadd these enhancements.

6.139. man

6.139.1. RHBA-2013:0392 — man bug fix updateUpdated man packages that fix one bug are now available for Red Hat Enterprise Linux 6.


280






The man packages provide the man, apropos, and whatis tools to find information and documentationabout the Linux system.

Bug Fix

BZ#815209Previously, the patch for the man-pages-overrides package ignored localized man pages.Consequently, installing this package also overrode man pages localized in different languages.With this update, this bug has been fixed and man pages from the man-pages-overridespackage now override only man pages in the same language.

All users of man are advised to upgrade to these updated packages, which fix this bug.

6.140. matahari

6.140.1. RHBA-2013:0404 — removed packages: matahariThe matahari packages have been removed from Red Hat Enterprise Linux 6.

The matahari packages provide a set of APIs for operating system management that are exposed toremote access over the Qpid Management Framework (QMF).

With this update, an empty package has been provided to ensure that the matahari packages areremoved from Red Hat Enterprise Linux 6. (BZ#833109)

All users of matahari are advised to remove these packages.

6.141. mcelog

6.141.1. RHBA-2013:0285 — mcelog bug fix and enhancement updateUpdated mcelog packages that fix numerous bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The mcelog package contains a daemon that collects and decodes Machine Check Exception (MCE)data on AMD64 and Intel 64 machines.


The mcelog packages have been upgraded to upstream version 0.6, which provides a number ofbug fixes and enhancements over the previous version. (BZ#795931)

Bug Fixes

BZ#8514 06The mcelog(8) man page contained incorrect information about usage of the "--supported" flag.This man page has been updated and the information is correct now.

BZ#87124 9Previously, the mcelog daemon ignored the 15h microarchitecture family of AMD processors


281



and did not report the Machine Check Exception (MCE) errors. Consequently, reported errorswere unavailable to system administrators. The 15h microarchitecture family of AMDprocessors has been included to the list of supported processors and mcelog reports MCEerrors correctly in this case.

Enhancement

BZ#74 0915This enhancement adds support for the Intel Core i5 and i7 processors to the mcelogpackages.

All users of mcelog are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.142. mdadm

6.142.1. RHBA-2013:0440 — mdadm bug fix updateUpdated mdadm packages that fix several bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The mdadm packages contain a utility for creating, managing, and monitoring Linux MD (multiple disk)devices.


The mdadm packages have been upgraded to upstream version 3.2.5, which provides a numberof bug fixes and enhancements over the previous version. (BZ#812358)

Bug Fixes

BZ#824 815While an Intel Matrix Storage Manager (IMSM) RAID volume was in the process of a reshape, anattempt to stop all arrays could cause an IMSM RAID array to be broken or corrupted. Theunderlying source code has been modified and mdadm works as expected in the describedscenario.

BZ#862565This update clarifies a number of mdadm license ambiguities.

BZ#878810The IMSM optional ROM (OpROM) does not support RAID volumes across more than onecontroller. Previously, creating an IMSM RAID volume across more than one controller causeddata loss. With this update, creating an IMSM RAID volume on multiple controllers is forbidden toprevent the data loss.

BZ#880208


282


Previously, it was possible to create a second RAID1 volume with the size equal to 0. As aconsequence, when resyncing the first RAID1 volume was finished, the system becameunresponsive. This update applies a patch to correct this error and it is no longer possible tocreate a second RAID1 volume with the size equal to 0.

BZ#880225After turning off two disk drives of a RAID1 volume, using the "mdadm --detail" commandcaused mdadm to terminate unexpectedly with a segmentation fault. This update applies apatch that fixes this bug. Using the "mdadm --detail" command now returns valid informationand mdadm no longer crashes in the described scenario.

BZ#82064 3This update fixes the map file location in mdadm(8) man page.

Users of mdadm are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.143. mesa

6.143.1. RHBA-2013:0344 — mesa bug fix and enhancement updateUpdated mesa packages that fix several bugs and add various enhancements are now available for RedHat Enterprise Linux 6.

Mesa provides a 3D graphics API that is compatible with Open Graphics Library (OpenGL). It alsoprovides hardware-accelerated drivers for many popular graphics chips.


The mesa packages have been upgraded to upstream version 9.0, which provides a number ofbug fixes and enhancements over the previous version. (BZ#835200)

Bug Fixes

BZ#786508, BZ#82074 6If the user logged in from Red Hat Enterprise Linux 5 to a Red Hat Enterprise Linux 6 machineby using the "ssh" command with the "-Y" option, an attempt to run an application that usesGLX failed with the "Error: couldn't find RGB GLX visual or fbconfig" error message. This bughas been fixed and the remote login now works as expected.

BZ#885882Due to an error in the mesa packages, using the multisample anti-aliasing (MSAA) techniquewith the KWin window manager caused errors in the desktop compositing. This update providesa patch that fixes this bug and MSAA now works correctly with the KWin window manager.

BZ#901627Previously, when connecting to a remote machine using SSH with the X11 forwarding enabled


283





caused a "failed to load driver: i965" error in the libGL library. With this update, a patch hasbeen provided to fix this bug and drivers are now loaded as expected.

Enhancements

BZ#816661An accelerated driver for Intel Core i5 and i7 processors has been added to the mesapackages.

BZ#835201This update adds the new mesa-dril-drivers package to mesa. This package implementssupport for the DRI1 drivers.

All users of mesa are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.144. microcode_ctl

6.144.1. RHBA-2013:0348 — microcode_ctl bug fix and enhancement updateUpdated microcode_ctl packages that fix a bug and add various enhancements are now available forRed Hat Enterprise Linux 6.

The microcode_ctl packages provide utility code and microcode data to assist the kernel in updating theCPU microcode at system boot time. This microcode supports all current x86-based, Intel 64-based, andAMD64-based CPU models. It takes advantage of the mechanism built-in to Linux that allows microcodeto be updated after system boot. When loaded, the updated microcode corrects the behavior of variousprocessors, as described in processor specification updates issued by Intel and AMD for thoseprocessors.

Bug Fix

BZ#74 0932Previously, a udev rule in /lib/udev/rules.d/89-microcode.rules allowed the module to load morethan once. On very large systems (for example, systems with 2048 or more CPUs), this couldresult in the system becoming unresponsive on boot. With this update, the udev rule has beenchanged to ensure the module loads only once. Very large systems now boot as expected.

Enhancements

BZ#818096The Intel CPU microcode file has been updated to version 20120606.

BZ#867078The AMD CPU microcode file has been updated to version 20120910.


284



All users of microcode_ctl are advised to upgrade to these updated packages, which fix this bug andadd these enhancements. Note: a system reboot is necessary for this update to take effect.

6.145. mlocate

6.145.1. RHBA-2012:1355 — mlocate bug fix updateUpdated mlocate packages that fix two bugs are now available for Red Hat Enterprise 6.

The mlocate packages provide a locate/updatedb implementation. Mlocate keeps a database of allexisting files and allows you to look up files by name.

Bug FixesBZ#690800

Prior to this update, the locate(1) manual page contained a misprint. This update corrects themisprint.

BZ#699363Prior to this update, the mlocate tool aborted the "updatedb" command if an incorrect filesystemimplementation returned a zero-length file name. As a consequence, the locate database wasnot be updated. This update detects invalid zero-length file names, warns about them, andcontinues to the locate database.

All users of mlocate are advised to upgrade to these updated packages, which fix these bugs.

6.146. mod_authz_ldap

6.146.1. RHBA-2012:1389 — mod_authz_ldap bug fix updateUpdated mod_authz_ldap packages that fix three bugs are now available for Red Hat Enterprise Linux 6.

The mod_authz_ldap packages provide a module for the Apache HTTP Server to authenticate usersagainst an LDAP database.

Bug FixesBZ#607797

Prior to this update, the License field of the mod_authz_ldap packages contained an incorrecttag. This update modifies the license text. Now, the license tag correctly reads "ASL1.0".

BZ#64 3691Prior to this update, the mod_authz_ldap module could leak memory. As a consequence, thememory consumption of the httpd process could increase as more requests were processed.This update modifies the underlying code to handle LDAP correctly. Now, the memoryconsumption as at expected levels.

BZ#7824 4 2Prior to this update, passwords were logged in plain text to the error log when an LDAP bindpassword was configured if a connection error occurred. This update modifies the underlying


285






code to prevent passwords from being logged in error conditions.

All users of mod_authz_ldap are advised to upgrade to this updated package, which fixes these bugs.

6.147. mod_nss

6.147.1. RHBA-2013:0513 — mod_nss bug fix and enhancement updateUpdated mod_nss packages that fix one bug and add two enhancements are now available for Red HatEnterprise Linux 6.

The mod_nss module provides strong cryptography for the Apache HTTP Server via the SecureSockets Layer (SSL) and Transport Layer Security (TLS) protocols, using the Network Security Services(NSS) security library.

Bug Fix

BZ#769906The mod_nss module reported 'Required value NSSCipherSuite not set.' even though a valuefor NSSCipherSuite was present in the virtual host. This bug was a configuration issue whichwas exacerbated by a couple of confusing log messages. As a result, several log messageswere changed to help clarify what values were actually missing.

Enhancements

BZ#816394Added support for TLSv1.1 to mod_nss module.

BZ#835071Added the ability to share mod_proxy with other SSL providers.

Users of mod_nss are advised to upgrade to these updated packages, which fix this bug and add theseenhancements.

6.148. mod_revocator

6.148.1. RHBA-2013:0411 — mod_revocator bug fix updateUpdated mod_revocator packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The mod_revocator module retrieves and installs remote Certificate Revocation Lists (CRLs) into anApache web server.

Bug Fix

BZ#861999When "exec" URIs were used to configure Certificate Revocate Lists (CRLs), themod_revocator module failed to load these URIs with the following error message:


286



Unable to load Revocation module, NSS error -8187. CRL retrieval will be disabled.

A patch has been provided to fix this problem, and CRL URIs are now loaded as expected inthis scenario.

Users of mod_revocator are advised to upgrade to these updated packages, which fix this bug.

6.149. module-init-tools

6.149.1. RHBA-2013:0442 — module-init-tools bug fix updateUpdated module-init-tools packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The module-init-tools packages include various programs needed for automatic loading and unloading ofmodules under kernels version 2.6 and later, as well as other module management programs. Devicedrivers and file systems are two examples of loaded and unloaded modules.

Bug Fix

BZ#670653Previously, the rpmbuild utility received warnings about specific tags being deprecated formodule-init-tools. This update fixes the module-init-tools spec file and rpmbuild no longerreceives warnings.

Users of module-init-tools are advised to upgrade to these updated packages, which fix this bug.

6.150. mod_wsgi

6.150.1. RHBA-2012:1358 — mod_wsgi bug fix and enhancement updateUpdated mod_wsgi packages that fix one bug and add one enhancement are now available for Red HatEnterprise Linux 6.

The mod_wsgi packages provide a Apache httpd module, which implements a WSGI compliant interfacefor hosting Python based web applications.

Bug FixBZ#670577

Prior to this update, a misleading warning message from the mod_wsgi utilities was loggedduring startup of the Apache httpd daemon. This update removes this message from themod_wsgi module.

EnhancementBZ#7194 09

With this update, access to the SSL connection state is now available in WSGI scripts using themethods "mod_ssl.is_https" and "mod_ssl.var_lookup".


287





All users of mod_wsgi are advised to upgrade to these updated packages, which fix this bug and addthis enhancement.

6.151. mrtg

6.151.1. RHBA-2012:1449 — mrtg bug fix updateUpdated mrtg packages that fix three bugs are now available for Red Hat Enterprise Linux 6.

The mrtg packages provide the Multi Router Traffic Grapher (MRTG) to monitor the traffic load onnetwork-links. MRTG generates HTML pages containing Portable Network Graphics (PNG) images,which provide a live, visual representation of this traffic.

Bug FixBZ#706519

Prior to this update, the MRTG tool did not handle the socket6 correctly. As a consequence,MRTG reported errors when run on a system with an IPv6 network interface due to a socketconflict. This update modifies the underlying code to socket6 as expected. (#706519)

BZ#707188Prior to this update, changing the "kMG" keyword in the MRTG configuration could cause thelabels on the y-axis to overlap the main area of the generated chart. With this update, anupstream patch has been applied to address this issue, and changing the "kMG" keyword inthe configuration no longer leads to the incorrect rendering of the resulting charts.

BZ#836197Prior to this update, the wrong value was returned from the IBM Fibrechannel switch when usingthe ifSpeed interface. As a consequence, mrtg cfgmaker failed to use ifHighSpeed on IBMFibreChannel switches. This update modifies the underlying code to return the correct value.

All users of mrtg are advised to upgrade to these updated packages, which fix these bugs.

6.152. mt-st

6.152.1. RHBA-2012:1409 — mt-st bug fix updateUpdated mt-st packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The mt-st package contains the mt and st tape drive management programs. Mt (for magnetic tapedrives) and st (for SCSI tape devices) can control rewinding, ejecting, skipping files and blocks and more.

Bug FixBZ#82024 5

Prior this update, the stinit init script did not support standard actions like "status" or "restart".As a consequence, an error code was returned. This update modifies the underlying code touse all use all standard actions.

All users of mt-st are advised to upgrade to these updated packages, which fix this bug.


288






6.153. netcf

6.153.1. RHBA-2013:0494 — netcf bug fix updateUpdated netcf packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The netcf packages contain a library for modifying the network configuration of a system. Networkconfiguration is expressed in a platform-independent XML format, which netcf translates into changes tothe system's "native" network configuration files.

Bug Fix

BZ#886862Previously, the netcf utility had been calling the nl_cache_mngt_provide() function in the libnllibrary, which was not thread-safe. Consequently, the libvirtd daemon could terminateunexpectedly. As nl_cache_mngt_provide() was not necessary for proper operation, it is nolonger called by netcf, thus preventing this bug.

Users of netcf are advised to upgrade to these updated packages, which fix this bug.

6.154. net-snmp

6.154.1. RHBA-2013:0421 — net-snmp bug fix updateUpdated net-snmp packages that fix several bugs are now available for Red Hat Enterprise Linux 6.

The net-snmp packages provide various libraries and tools for the Simple Network ManagementProtocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or settinginformation from SNMP agents, tools for generating and handling SNMP traps, a version of the netstatutility which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.

Bug Fixes

BZ#829271Previously, there was a limit of 50 exec entries in the /etc/snmp/snmpd.conf congigurationfile. With more than 50 such entries in the file, the snmpd daemon reported the following errormessage:

Error: No further UCD-compatible entries

With this update, the fixed limit has been removed, and there can now be any number of execentries in /etc/snmp/snmpd.conf.

BZ#84 8319Prior to this update, the libnetsnmpmibs.so.20 and libnetsnmphelpers.so.20libraries did not contain an RPATH entry to the libperl.so package for embedding Perl. Thiscould cause problems when linking custom SNMP applications or modules. An upstream patch,which adds RPATH for the Perl libraries, has been provided, and all libperl.so references arenow resolved.


289





BZ#800671Previously, the snmpd daemon ignored the trapsess -e <engineID> configuration optionin the /etc/snmp/snmpd.conf file and sent a default engineID string even if trapsess wasconfigured with an explicit engineID value. An upstream patch has been provided to fix this bugand snmpd now sends outgoing traps with an engineID string as specified in /etc/snmp/snmpd.conf.

BZ#84 64 36Due to a possible race condition, the snmpd daemon could fail to count some processes whenfilling in the UCD-SNMP-MIB::prTable table. With this update, the underlying source codehas been adapted to prevent such a race condition, so that all processes are now counted asexpected.

BZ#833013Prior to this update, the snmpd daemon ignored the port number of the clientaddr optionwhen specifying the source address of outgoing SNMP requests. As a consequence, thesystem assigned a random port number to the udp socket. This update introduces a newconfiguration option clientaddrUsesPort, which, if set to yes, allows to specify both theport number and the source IP address in the clientaddr option. Now, administrators canincrease security with firewall rules and SELinux policies by configuring a specific source port ofoutgoing traps and other requests.

BZ#851637When the snmpd daemon was shutting down during processing of internal queries, a requestwas neither marked as failed nor finished, and snmpd waited indefinitely for the request to beprocessed. With this update, snmpd marks all internal queries as failed during shutdown.

BZ#84 2279Previously, implementation of the UCD-SNMP-MIB::extCommand variable in the snmpddaemon reported only names of the executable parameters, missing all other command lineparameters. With this update, UCD-SNMP-MIB::extCommand has been fixed and snmpdreturns the full command line output.

BZ#784 502Previously, snmptrapd(8) manual page did not properly describe how to load multipleconfiguration files using the -c option. With this update, the manual page has been fixed anddescribes that multiple configuration files must be separated by the comma character.

BZ#84 6532, BZ#861152In the previous net-snmp update, implementation of the HOST-RESOURCES-MIB::hrStorageTable table was rewritten and devices with CentraVision File System(CVFS) and OpenVZ container file systems (simfs) were not reported. With this update, the snmpd daemon properly recognizes CVFS and simfs devices and reports them in HOST-RESOURCES-MIB::hrStorageTable.

BZ#84 6906


290




When the snmpd daemon was not able to expand 32-bit counter provided by the operatingsystem to 64-bits, as required by SNMP standards, the snmpd daemon occasionally reportedthe following error messages:

c64 32 bit check failed

Error expanding XXX to 64bits

looks like a 64bit wrap, but prev!=new

These messages were in fact harmless but confusing. This update suppresses them and theyare no longer returned in the described scenario.

BZ#84 5157The snmpd daemon reported an error message to system log files when it could not open thefollowing files: /proc/net/if_inet6, /proc/net/snmp6, /proc/net/ipv6_route, /proc/net/tcp6, and /proc/net/udp6. These files are typically missing on machines withdisabled IPv6 networking, and thus reporting such error messages for them is meaningless.With this update, the error messages are suppressed, and the system log files are not filledwith redundant messages.

BZ#84 8155Prior to this update, the net-snmp utility failed to read the diskIOLA1, diskIOLA5, and diskIOLA15 object variables of the UCD-DISKIO-MIB object, as these variables were notimplemented on the Linux operating system. Consequently, the snmptable utility failed toreturn values of the three variables correctly. With this update, these objects are implementedand their values are now displayed in the UCD-DISKIO-MIB::diskIOTable table asexpected.

BZ#825889Previously, the snmpd daemon was updated to send an SNMP response to broadcast requestsfrom the same interface, on which a SNMP response had been received. However, this updatealso introduced a bug which prevented snmpd from sending responses to unicast request onmultihomed machines. This update fixes this bug, so the snmpd daemon is now able to bothanswer unicast requests on multihomed machines and send responses to broadcast requestsfrom the same interface, on which the request has been received.

BZ#824 4 02Previously, the snmptrapd daemon terminated the embedded Perl interpreter immediately afterthe TERM signal was received, regardless of whether embedded Perl code was still being used.Consequently, snmptrapd could rarely terminate unexpectedly during shutdown. With thisupdate, the embedded Perl interpreter is destroyed later during the snmptrapd shutdown,when all Perl processing is finished.

Users of net-snmp are advised to upgrade to these updated packages, which fix these bugs.


291




6.155. NetworkManager

6.155.1. RHBA-2013:0429 — NetworkManager bug fix and enhancement updateUpdated NetworkManager packages that fix multiple bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

NetworkManager is a system network service that manages network devices and connections,attempting to keep active network connectivity when available. It manages Ethernet, wireless, mobilebroadband (WWAN), and PPPoE (Point-to-Point Protocol over Ethernet) devices, and provides VPNintegration with a variety of different VPN services.

Bug Fixes

BZ#813573Previously, NetworkManager did not allow selecting the WPA protocol version for a connection.Certain enterprise WLAN networks using Cisco equipment do not allow roaming between WPAand WPA2 Virtual Access Points (VAP) provided by the same physical access point, requiringthe use of a specific WPA protocol version to prevent disconnections. This update adds a WPAprotocol combo box to the NetworkManager user interface allowing a specific WPA protocolversion to be used when necessary, thus preventing this problem.

BZ#8294 99Previously, NetworkManager tried to enable an interface only once. Consequently, after anetwork failure, if a link was restored before the connection to a DHCP server was functioning,NetworkManager sometimes timed out and failed to bring up the interface. A patch has beenapplied so that NetworkManager now tries three times to connect after a failure and then againin five minute intervals. As a result, NetworkManager can now more reliably restore connectionsafter a network failure.

BZ#833199Due to a bug in reading and writing network configuration files, network connections using theLEAP authentication method could not be made available to all users. A patch has been appliedto address this issue and the network configuration files now allow LEAP as expected.

BZ#834 34 9When a connection was locked to a specific WPA protocol version (either v1 or v2/RSN) viaeither the GConf system or settings in the "/etc/sysconfig/network-scripts/" configuration files,NetworkManager overwrote that preference when the connection was edited and saved. Thisbug has been fixed and such WPA preferences are now preserved in the described scenario.

BZ#837056When attempting to configure a wireless LEAP authenticated connection, the credentials wereasked for twice by the authentication dialog. A patch has been applied and the problem nolonger occurs.

BZ#84 0580The NetworkManager service logged a warning when the Bluetooth service was not running ornot installed. A patch has been applied to prevent this and the problem no longer occurs.


292






Enhancements

BZ#558983This update adds bridging support for NetworkManager. Note that this is dependent on theNM_BOND_VLAN_ENABLED directive in /etc/sysconfig/network. If and only if that directive ispresent and is one of yes, y, or true, will NetworkManager detect and manage bridging, bondingand VLAN interfaces.

BZ#4 6534 5The NetworkManager service now provides support for bonding network connections as wellas creating VLAN and IPoIB network connections.

BZ#817660NetworkManager now copies the DHCP lease files created by init scripts if they are newer thenthose NetworkManager currently has. This results in a more seamless takeover of DHCPassigned connections.

BZ#834 4 4 4This update enables Proactive Key Caching (PKC), also known as Opportunistic Key Caching(OKC), for all WPA-Enterprise configurations.

BZ#901662A number of improvements have been made to NetworkManager to allow more bonding optionsand to handle incompatibilities between options. As a result, more complex bondingconfigurations can now be controlled by NetworkManager.

All users of NetworkManager are advised to upgrade to these updated packages, which fix these bugsand add these enhancements.

6.156. nfs-utils-lib

6.156.1. RHBA-2013:0467 — nfs-utils-lib bug fix updateUpdated nfs-utils-lib packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The nfs-utils-lib packages provide support libraries that programs in the nfs-utils package require.

Bug Fix

BZ#804 812When building the list of local realms, idmapd overwrote the string buffer, which is used to keepthat list, every time a new realm was added to the list. As a consequence, the idmapd daemonlogged only the last local realm added to the list. This update modifies the source code so therealms are correctly appended to the string buffer and idmapd now logs the complete list of thelocal realms as expected. Also, buffer size calculation has been corrected.

Users of nfs-utils-lib are advised to upgrade to these updated packages, which fix this bug.


293





6.157. nfs-utils

6.157.1. RHBA-2013:0468 — nfs-utils bug fix updateUpdated nfs-utils packages that fix several bugs are now available for Red Hat Enterprise Linux 6.

The nfs-utils packages provide a daemon for the kernel Network File System (NFS) server, and relatedtools such as the mount.nfs, umount.nfs, and showmount.

Bug Fixes

BZ#797209Prior to this update, the rpc.mound daemon could cause NFS clients with already mountedNFSv3 shares to become suspended. This update modifies the underlying code to parse the IPaddress earlier.

BZ#8024 69Prior to this update, nfs-utils allowed stronger encryption types than Single DES. As aconsequence, mounts to legacy servers that used the "-o sec=krb5" option failed. This updateadds the -l flag to allow only Single DES. Now, secure mounts work with legacy servers asexpected.

BZ#815673Prior to this update, NFS clients could fail to mount a share with the NFSv4 server if the serverhad a large amount of exports to netgroups. As a consequence, NFSv4 mounts could becomesuspended. This update modifies the use_ipaddr case so that NFSv4 now mounts asexpected.

BZ#84 994 5Prior to this update, the NFS idmapper failed to initialize as expected. As a consequence, filepermissions were incorrect. This update modifies the underlying code so that the idmapperinitializes correctly.

Users of nfs-utils are advised to upgrade to these updated packages, which fix these bugs.

6.158. nss-pam-ldapd

6.158.1. RHBA-2013:0413 — nss-pam-ldapd bug fix updateUpdated nss-pam-ldapd packages that fix three bugs are now available for Red Hat Enterprise Linux 6.

The nss-pam-ldapd packages provides the nss-pam-ldapd daemon (nslcd), which uses a directoryserver to look up name service information on behalf of a lightweight nsswitch module.

Bug Fixes

BZ#74 7281Prior to this update, the disconnect logic contained a misprint and a failure return value wasmissing. This update corrects the misprint and adds the missing return value.


294






BZ#769289Prior to this update, the nslcd daemon performed the idle time expiration check for the LDAPconnection before starting an LDAP search operation. On a lossy network or if the LDAP serverwas under a heavy load, the connection could time out after the successful check and thesearch operation then failed. With this update, the idle time expiration test is now performedduring the LDAP search operation so that the connection now no longer expires under thesecircumstances.

BZ#79104 2Prior to this update, when the nslcd daemon requested access to a large group, a bufferprovided by the glibc library could not contain such a group and retried again with a largerbuffer to process the operation successfully. As a consequence, redundant error messageswere logged in the /var/log/message file. This update makes sure that even when glibcprovides a buffer that is too small on first attempt in the described scenario, no redundant errormessages are returned.

All users of nss-pam-ldapd are advised to upgrade to these updated packages, which fix these bugs.

6.159. nss, nss-util, nspr

6.159.1. RHBA-2013:0445 — nss, nss-util, nspr bug fix and enhancement updateUpdated nss, nss-util, and nspr packages that fix multiple bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

Network Security Services (NSS) is a set of libraries designed to support the cross-platformdevelopment of security-enabled client and server applications. Netscape Portable Runtime (NSPR)provides platform independence for non-GUI operating system facilities.


The nss and nss-util packages have been upgraded to upstream version 3.14 which provides anumber of bug fixes and enhancements over the previous version. In particular, support for TLSversion 1.1 in NSS (RFC 4346). In addition, the nspr packages have been upgraded to upstreamversion 4.9.2. Note that support for certificate signatures using the MD5 hash algorithm is nowdisabled by default. For more information, refer to the Mozilla NSS 3.14 Release Notes.(BZ#837089, BZ#863285, BZ#863286)

Bug Fixes

BZ#555019The Privacy Enhanced Mail (PEM) module initialization function did not return an error informingthe caller that it is not thread-safe. Consequently, invalid writes were made resulting inunexpected terminations in multi-threaded libcurl-based applications. The PEM moduleinitialization function now returns the PKCS #11 prescribed KR_CANT_LOCK constant whenthe type of locking requested by the caller for thread safety is not available. As a result, clientsare informed of the lack of thread safety and can provide their own locking to prevent crashes.


295





BZ#827351Due to a missing out-of-memory (OOM) check and improper freeing of allocated memory, thePrivacy Enhanced Mail (PEM) module did not fully validate the encoding of certificates stored ina PEM-formatted file. As a consequence, error handling tests failed. With this update, the PEMmodule correctly validates the encoding, handles memory deallocation consistently, and errorhandling tests pass as expected.

Users of nss, nspr, and nss-util are advised to upgrade to these updated packages, which fix thesebugs and add these enhancements. After installing this update, applications using NSS, NSPR, or nss-util must be restarted for this update to take effect.

6.160. ntp

6.160.1. RHBA-2013:0495 — ntp bug fix updateUpdated ntp packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The Network T ime Protocol (NTP) is used to synchronize a computer's time with a referenced timesource.

Bug Fix

BZ#875798When at least one system network interface had an IPv6 address and the network service wasstopped or started, the ntpd daemon could terminate unexpectedly. This happened if the ntpdservice attempted to read the device addresses at the moment when the network service hadmanaged to configure only the IPv6 address of the first device. With this update, the underlyinglibrary function has been fixed and the daemon no longer crashes in the scenario described.

All users of ntp are advised to upgrade to these updated packages, which fix this bug.

6.161. numactl

6.161.1. RHBA-2013:0401 — numactl bug fix and enhancement updateUpdated numactl packages that fix several bugs and add one enhancement are now available for RedHat Enterprise Linux 6.

The numactl packages provide a simple Non-Uniform Memory Access (NUMA) policy support andconsist of the numactl program to run other programs with a specific NUMA policy and the libnuma libraryto do allocations in applications using the NUMA policy.

Bug Fixes

BZ#804 4 80Previously, the number of CPUs were miscalculated in the "/sys/devices/system/cpu" directory,because the "cpufreq" and "cpuidle" files were counted, so, the additional two CPUs wereadded erroneously. With this update, the number of CPUs is now counted correctly.


296




BZ#814 294The global pointer "numa_all_cpus_ptr" was supposed to be set to a bitmask allocated by thelibrary with bits that represent all CPUs on which the calling thread can execute. Consequently,it did not function as documented when the bitmask was only set to CPU0. With this update, theunderlying source code is now fixed and the "numa_all_cpus_ptr" contains only specifiedCPUs, when the taskset option contains CPU0.

Enhancement

BZ#829896The existing tool numastat, which was a Perl script, was rewritten to a C program to providemuch more NUMA information. The default operation of numastat will remain the same forcompatibility with current users' end scripts.

Users of numactl are advised to upgrade to these updated packages, which fix these bugs and add thisenhancement.

6.162. numad

6.162.1. RHBA-2013:0358 — numad bug fix and enhancement updateUpdated numad packages that fix one bug and add one enhancement are now available for Red HatEnterprise Linux 6.

The numad packages provide a daemon for NUMA (Non-Uniform Memory Architecture) systems. Numadmonitors NUMA characteristics and manages placement of processes and memory to minimize memorylatency.

Bug Fix

BZ#825153Prior to this update, the "-lpthread" linker flag was supplied from both the Makefile and from thespec file. As a consequence, the numad packages encountered linkage problems and failed tobuild when trying to rebuild these packages from the source rpm. With this update, the flag issupplied only from the specfile and rebuilding the packages no longer fails.

Enhancement

BZ#830919This update upgrades the numad source code to version 20121015 to be fully supported byRed Hat Enterprise Linux 6.

All users of numad are advised to upgrade to these updated packages, which fix this bug and add thisenhancement.

6.163. openchange


297




6.163.1. RHSA-2013:0515 — Moderate: openchange security, bug fix andenhancement updateUpdated openchange packages that fix one security issue, several bugs, and add variousenhancements are now available for Red Hat Enterprise Linux 6.


The openchange packages provide libraries to access Microsoft Exchange servers using nativeprotocols. Evolution-MAPI uses these libraries to integrate the Evolution PIM application with MicrosoftExchange servers.


The openchange packages have been upgraded to upstream version 1.0, which provides anumber of bug fixes and enhancements over the previous version, including support for therebased samba4 packages and several API changes. (BZ#767672, BZ#767678)

Security Fix

CVE-2012-1182A flaw was found in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler. AsOpenChange uses code generated by PIDL, this could have resulted in buffer overflows in theway OpenChange handles RPC calls. With this update, the code has been generated with anupdated version of PIDL to correct this issue.

Bug Fixes

BZ#680061When the user tried to modify a meeting with one required attendee and himself as theorganizer, a segmentation fault occurred in the memcpy() function. Consequently, the evolution-data-server application terminated unexpectedly with a segmentation fault. This bug has beenfixed and evolution-data-server no longer crashes in the described scenario.

BZ#8704 05Prior to this update, OpenChange 1.0 was unable to send messages with a large messagebody or with extensive attachment. This was caused by minor issues in OpenChange'sexchange.idl definitions. This bug has been fixed and OpenChange now sends extensivemessages without complications.

All users of openchange are advised to upgrade to these updated packages, which fix these issues andadd these enhancements.

6.164. OpenIPMI


298








Updated OpenIPMI packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The OpenIPMI packages provide command-line tools and utilities to access platform information usingIntelligent Platform Management Interface (IPMI). System administrators can use OpenIPMI to managesystems and to perform system health monitoring.

Bug Fix

BZ#8814 50The kernel ipmi_msghandler and ipmi_si modules are no longer delivered as standalonemodules. As a consequence, an error occurred if these modules were used independently. Withthis update, the OpenIPMI init script has been modified to enable IPMI service operations on akernel with ipmi_si and ipmi_msghandler statically compiled in the kernel. Also, the servicestatus message now includes a new "in kernel" module state.

Users of OpenIPMI are advised to upgrade to these updated packages, which fix this bug.

6.165. openldap

6.165.1. RHBA-2013:0364 — openldap bug fix and enhancement updateUpdated openldap packages that fix multiple bugs and add an enhancement are now available for RedHat Enterprise Linux 6.

OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications anddevelopment tools. LDAP is a set of protocols for accessing directory services (usually phone book styleinformation, but other information is possible) over the Internet, similar to the way DNS (Domain NameSystem) information is propagated over the Internet. The openldap package contains configuration files,libraries, and documentation for OpenLDAP.

Bug Fixes

BZ#820278When the smbk5pwd overlay was enabled in an OpenLDAP server and a user changed theirpassword, the Microsoft NT LAN Manager (NTLM) and Microsoft LAN Manager (LM) hasheswere not computed correctly. Consequently, the sambaLMPassword and sambaNTPasswordattributes were updated with incorrect values, preventing the user from logging in using aWindows-based client or a Samba client. With this update, the smbk5pwd overlay is linkedagainst OpenSSL. As such, the NTLM and LM hashes are computed correctly and passwordchanges work as expected when using smbk5pwd.

BZ#857390If the TLS_CACERTDIR configuration option used a prefix, which specified a Mozilla NSSdatabase type, such as sql:, and when a TLS operation was requested, the certificatedatabase failed to open. This update provides a patch, which removes the database type prefixwhen checking the existence of a directory with certificate database, and the certificatedatabase is now successfully opened even if the database type prefix is used.

BZ#829319When a file containing a password was provided to open a database without user interaction, a


299





piece of unallocated memory could be read and be mistaken to contain a password, leading tothe connection to become unresponsive. A patch has been applied to correctly allocate thememory for the password file and the connection no longer hangs in the described scenario.

BZ#818572When a TLS connection to an LDAP server was established, used, and then correctlyterminated, the order of the internal TLS shutdown operations was incorrect. Consequently,unexpected terminations and other issues could occur in the underlying cryptographic library(Mozilla NSS). A patch has been provided to reorder the operations performed when closing theconnection. Now, the order of TLS shutdown operations matches the Mozilla NSSdocumentation, thus fixing this bug.

BZ#859858When TLS was configured to use a certificate from a PEM file while TLS_CACERTDIR was setto use a Mozilla NSS certificate database, the PEM certificate failed to load. With this update, thecertificate is first looked up in the Mozilla NSS certificate database and if not found, the PEM fileis used as a fallback. As a result, PEM certificates are now properly loaded in the describedscenario.

BZ#707599The OpenLDAP server could be configured for replication with TLS enabled for both acceptingconnections from remote peers and for TLS client authentication to the other replicas. Whendifferent TLS configuration was used for server and for connecting to replicas, a connection to areplica could fail due to TLS certificate lookup errors or due to unknown PKCS#11 TLS errors.This update provides a set of patches, which makes multiple TLS LDAP contexts within oneprocess possible without affecting the others. As a result, OpenLDAP replication works properlyin the described scenario.

BZ#8114 68When the CA (Certificate Authority) certificate directory hashed via OpenSSL was configured tobe used as a source of trusted CA certificates, the libldap library incorrectly expected thatfilenames of all hashed certificates end with the .0 suffix. Consequently, even though anynumeric suffix is allowed, only certificates with .0 suffix were loaded. This update provides apatch that properly checks filenames in OpenSSL CA certificate directory and now all certificatesthat are allowed to be in that directory are loaded with libldap as expected.

BZ#84 3056When multiple LDAP servers were specified with TLS enabled and a connection to a serverfailed because the host name did not match the name in the certificate, fallback to anotherserver was performed. However, the fallback connection became unresponsive during the TLShandshake. This update provides a patch that re-creates internal structures, which handle theconnection state, and the fallback connection no longer hangs in the described scenario.

BZ#864 913When the OpenLDAP server was configured to use the rwm overlay and a client sent the modrdn operation, which included the newsuperior attribute matching the current superiorattribute of the entry being modified, the slapd server terminated unexpectedly with asegmentation fault. With this update, slapd is prevented from accessing uninitialized memory


300





in the described scenario, the crashes no longer occur, and the client operation now finishessuccessfully.

BZ#828787When a self-signed certificate without Basic Constraint Extension (BCE) was used as a serverTLS certificate and the TLS client was configured to ignore any TLS certificate validation errors,the client could not connect to the server and an incorrect message about missing BCE wasreturned. This update provides a patch to preserve the original TLS certificate validation error ifBCE is not found in the certificate. As a result, clients can connect to the server, proper errormessages about untrusted certification authority which signed the server certificate arereturned, and the connection continues as expected.

BZ#82184 8When the slapd server configuration database (cn=config) was configured with replicationin mirror mode and the replication configuration (olcSyncrepl) was changed, the cn=config database was silently removed from mirror mode and could not be futher modifiedwithout restarting the slapd daemon. With this update, changes in replication configuration areproperly handled so that the state of mirror mode is now properly preserved and the cn=config database can be modified in the described scenario.

BZ#835012Previously, the OpenLDAP library looked up for an AAAA (IPv6) DNS record while resolving theserver IP address even if IPv6 was disabled on the host, which could cause extra delays whenconnecting. With this update, the AI_ADDRCONFIG flag is set when resolving the remote hostaddress. As a result, the OpenLDAP library no longer looks up for the AAAA DNS record whenresolving the server IP address and IPv6 is disabled on the local system.

Enhancements

BZ#852339When libldap was configured to use TLS, not all TLS ciphers supported by the Mozilla NSSlibrary could be used. This update provides all missing ciphers supported by Mozilla NSS to theinternal list of ciphers in libldap, thus improving libldap security capabilities.

Users of openldap are advised to upgrade to these updated packages, which fix these bugs and addthis enhancement.

6.166. openscap

6.166.1. RHBA-2013:0362 — openscap bug fix and enhancement updateUpdated openscap packages that fix various bugs and add several enhancements are now available forRed Hat Enterprise Linux 6.

The openscap packages provide OpenSCAP, which is a set of open source libraries for the integrationof the Security Content Automation Protocol (SCAP). SCAP is a line of standards that provide a standardlanguage for the expression of Computer Network Defense (CND) related information.


301







The openscap packages have been upgraded to upstream version 0.9.2, which provides anumber of bug fixes and enhancements over the previous version. (BZ#829349)

All users of openscap are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.167. openssh

6.167.1. RHSA-2013:0519 — Moderate: openssh security, bug fix andenhancement updateUpdated openssh packages that fix one security issue, multiple bugs, and add various enhancementsare now available for Red Hat Enterprise Linux 6.


OpenSSH is OpenBSD's Secure Shell (SSH) protocol implementation. These packages include the corefiles necessary for the OpenSSH client and server.

Security Fix

CVE-2012-5536Due to the way the pam_ssh_agent_auth PAM module was built in Red Hat Enterprise Linux 6,the glibc's error() function was called rather than the intended error() function inpam_ssh_agent_auth to report errors. As these two functions expect different arguments, itwas possible for an attacker to cause an application using pam_ssh_agent_auth to crash,disclose portions of its memory or, potentially, execute arbitrary code.

Note

Note that the pam_ssh_agent_auth module is not used in Red Hat Enterprise Linux 6 by default.

Bug Fixes

BZ#82164 1All possible options for the new RequiredAuthentications directive were not documented in thesshd_config man page. This update improves the man page to document all the possibleoptions.

BZ#826720When stopping one instance of the SSH daemon (sshd), the sshd init script(/etc/rc.d/init.d/sshd) stopped all sshd processes regardless of the PID of the processes. Thisupdate improves the init script so that it only kills processes with the relevant PID. As a result,the init script now works more reliably in a multi-instance environment.


302






BZ#836650Due to a regression, the ssh-copy-id command returned an exit status code of zero even ifthere was an error in copying the key to a remote host. With this update, a patch has beenapplied and ssh-copy-id now returns a non-zero exit code if there is an error in copying theSSH certificate to a remote host.

BZ#836655When SELinux was disabled on the system, no on-disk policy was installed, a user account wasused for a connection, and no "~/.ssh" configuration was present in that user's home directory,the SSH client terminated unexpectedly with a segmentation fault when attempting to connect toanother system. A patch has been provided to address this issue and the crashes no longeroccur in the described scenario.

BZ#857760The "HOWTO" document /usr/share/doc/openssh-ldap-5.3p1/HOWTO.ldap-keys incorrectlydocumented the use of the AuthorizedKeysCommand directive. This update corrects thedocument.

Enhancements

BZ#782912When attempting to enable SSH for use with a Common Access Card (CAC), the ssh-agentutility read all the certificates in the card even though only the ID certificate was needed.Consequently, if a user entered their PIN incorrectly, then the CAC was locked, as a match forthe PIN was attempted against all three certificates. With this update, ssh-add does not try thesame PIN for every certificate if the PIN fails for the first one. As a result, the CAC will not bedisabled if a user enters their PIN incorrectly.

BZ#860809This update adds a "netcat mode" to SSH. The "ssh -W host:port ..." command connectsstandard input and output (stdio) on a client to a single port on a server. As a result, SSH canbe used to route connections via intermediate servers.

BZ#869903Due to a bug, arguments for the RequiredAuthentications2 directive were not stored in a Matchblock. Consequently, parsing of the config file was not in accordance with the man sshd_configdocumentation. This update fixes the bug and users can now use the required authenticationfeature to specify a list of authentication methods as expected according to the man page.

All users of openssh are advised to upgrade to these updated packages, which fix these issues andadd these enhancements. After installing this update, the OpenSSH server daemon (sshd) will berestarted automatically.

6.168. openssl


303




6.168.1. RHBA-2013:0443 — openssl bug fix updateUpdated openssl packages that fix four bugs are now available for Red Hat Enterprise Linux 6.

The openssl packages provide a toolkit that implements the Secure Sockets Layer (SSL) and TransportLayer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Bug Fixes

BZ#770872Prior to this update, the pkgconfig configuration files of OpenSSL libraries contained an invalidlibdir value. This update modifies the underlying code to use the correct libdir value.

BZ#800088Prior to this update, the openssl function "BIO_new_accept()" failed to listen on IPv4 addresseswhen this function was invoked with the "*:port" parameter. As a consequence, users failed toconnect via IPv4 to a server that used this function call with the "*:port" parameter. This updatemodifies this function to listen on IPv4 address with this parameter as expected.

BZ#84 164 5Prior to this update, encrypted private key files that were saved in FIPS mode were corruptedbecause the PEM encryption uses hash algorithms that are not available in FIPS mode. Thisupdate uses the PKCS#8 encrypted format to write private keys to files in FIPS mode. This fileformat uses only algorithms that are available in FIPS mode.

BZ#84 164 5The manual page for "rand", the pseudo-random number generator, is named "sslrand" toavoid conflict with the manual page for the C library "rand()" function. This update provides the"openssl" manual page update to reflect this.

All users of openssl are advised to upgrade to these updated packages, which fix these bugs.

6.169. pacemaker

6.169.1. RHBA-2013:0375 — pacemaker bug fix and enhancement updateUpdated pacemaker packages that fix several bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

Pacemaker is a high-availability cluster resource manager with a powerful policy engine.


The pacemaker packages have been upgraded to upstream version 1.1.8, which provides anumber of bug fixes and enhancements over the previous version. (BZ#768522)

To minimize the difference between the supported cluster stack, Pacemaker should be used incombination with the CMAN manager. Previous versions of Pacemaker allowed to use the Pacemakerplug-in for the Corosync engine. The plug-in is not supported in this environment and will be removed


304






very soon. Please see http://clusterlabs.org/quickstart-redhat.html and Chapter 8 of "Clusters fromScratch" (http://clusterlabs.org/doc/en-US/Pacemaker/1.1-plugin/html/Clusters_from_Scratch) for detailson using Pacemaker with CMAN.

Bug Fixes

BZ#801355Multiple parts of the system could notice a node failure at different times. Consequently, if morethan one component requested a node to be fenced, the fencing components did so multipletimes. This bug has been fixed by merging identical requests from different clients if the firstone is still in progress, so the node is fenced only once.

BZ#84 6983Canceled operations were incorrectly stored in the cluster status. As a consequence, thecluster detected those operations and tried to clarify the status that led to additional loggingand other confusing behavior. The underlying code has been modified so that the canceledoperations are no longer stored in the cluster status, and Pacemaker now works as expected.

BZ#860684An improper definition in the spec file caused unexpected implicit dependencies betweenPacemaker subpackages; a certain library was in the incorrect location. The libstonithd.so.2library has been relocated and the dependencies between Pacemaker subpackages are nowdefined correctly.

BZ#877364On the systems running on AMD64 or Intel 64 architectures, the pacemaker-cts subpackagedepends on some libraries from the pacemaker.libs subpackage. However, pacemaker-cts didnot specify explicit package version requirement, which could cause dependency problemsbetween new and old subpackages. The version specification of pacemaker-libs has beenadded to pacemaker-cts to prevent these dependency problems.

BZ#88024 9Previously, deleting a master or slave resource led to one of the nodes being fenced. Thisupdate applies a patch to fix this bug and nodes are no longer fenced in such a case.

BZ#886151Previously, the crm_report package did not install the perl-T imeData package as a dependency.Consequently, an attempt to run the crm_report utility on a system without this package failedwith an error. This update adds this missing dependency and the crm_report utility can now berun as expected.

BZ#886989Previously, it was possible to introduce non-significant whitespace characters into thePacemaker configuration file. Consequently, Pacemaker returned confusing error messageswhen reading the configuration file. With this update, a patch has been applied to filter theundesired characters from the configuration file and Pacemaker no longer returns such errormessages.


305

http://clusterlabs.org/quickstart-redhat.html

http://clusterlabs.org/doc/en-US/Pacemaker/1.1-plugin/html/Clusters_from_Scratch






Enhancements

BZ#816875With this update, Pacemaker provides a simpler XML output, which allows the users easierparsing and querying of the status of cluster resources.

BZ#816881With this update, Pacemaker indicates when a cluster resource is reported as running basedon cached information about a node that is no longer connected.

All users of Pacemaker are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.170. PackageKit

6.170.1. RHBA-2013:0394 — PackageKit bug fix updateUpdated PackageKit packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The PackageKit packages provide a D-Bus abstraction layer that allows the session user to managepackages in a secure way using a cross-distribution, cross-architecture API.

Bug Fix

BZ#735597Prior to this update, the PackageKit daemon could abort with a segmentation fault when theuser tried to authenticate with PolicyKit if the "/usr/sbin/consolekit" process failed or wasmanually stopped. This update modifies the underlying code so that PackageKit no longer failswhen unable to access ConsoleKit. Now, a console warning message is displayed forPackageKit instead.

All users of PackageKit are advised to upgrade to these updated packages, which fix this bug.

6.171. pam

6.171.1. RHSA-2013:0521 — Moderate: pam security, bug fix and enhancementupdateUpdated pam packages that fix two security issues and several bugs and add various enhancementsare now available for Red Hat Enterprise Linux 6.


Pluggable Authentication Modules (PAM) provide a system whereby administrators can set upauthentication policies without having to recompile programs to handle authentication.

Security Fixes


306



CVE-2011-314 8A stack-based buffer overflow flaw was found in the way the pam_env module parsed users' ~/.pam_environment files. If an application's PAM configuration contained"user_readenv=1" (this is not the default), a local attacker could use this flaw to crash theapplication or, possibly, escalate their privileges.

CVE-2011-314 9A denial of service flaw was found in the way the pam_env module expanded certainenvironment variables. If an application's PAM configuration contained user_readenv=1 (thisis not the default), a local attacker could use this flaw to cause the application to enter aninfinite loop.

Red Hat would like to thank Kees Cook of the Google ChromeOS Team for reporting the CVE-2011-3148 and CVE-2011-3149 issues.

Bug Fixes

BZ#680204The limit on number of processes was set in the /etc/limits.d/90-nproc.conf file to1024 processes even for the root account. Consequently, root processes confined withSELinux, such as the prelink utility started from the crond daemon, failed to start if there weremore than 1024 processes running with UID 0 on the system. The limit for root processes hasbeen set to unlimited and the confined processes are no longer blocked in the describedscenario.

BZ#750601The require_selinux option handling in the pam_namespace module was broken. As aconsequence, when SELinux was disabled, it was not possible to prevent users from loggingin with the pam_namespace module. This option has been fixed and PAM works as expectednow.

BZ#811168The pam_get_authtok_verify() function did not save the PAM_AUTHTOK_TYPE PAM itemproperly. Consequently, the authentication token type, as specified with the authtok_typeoption of the pam_cracklib module, was not respected in the “Retype new password”message. The pam_get_authtok_verify() function has been fixed to properly save the PAM_AUTHTOK_TYPE item and PAM now works correctly in this case.

BZ#815516When the remember option was used, the pam_unix module was matching usernamesincorrectly while searching for the old password entries in the /etc/security/opasswd file.Due to this bug, the old password entries could be mixed; the users whose usernames were asubstring of another username could have the old passwords entries of another user. With thisupdate, the algorithm that is used to match usernames has been fixed. Now only the exactsame usernames are matched and the old password entries are no longer mixed in thedescribed scenario.

BZ#825270


307






Prior to this update, using the pam_pwhistory module caused an error to occur when the rootuser was changing user's password. It was not possible to choose any password that was inuser's password history as the new password. With this update, the root user can change thepassword regardless of whether it is in the user's history or not.

Enhancements

BZ#588893Certain authentication policies require enforcement of password complexity restrictions even forroot accounts. Thus, the pam_cracklib module now supports the enforce_for_rootoption, which enforces the complexity restrictions on new passwords even for the root account.

BZ#673398The GECOS field is used to store additional information about the user, such as the user's fullname or a phone number, which could be used by an attacker for an attempt to crack thepassword. The pam_cracklib module now also allows to specify the maximum allowednumber of consecutive characters of the same class (lowercase, uppercase, number, andspecial characters) in a password.

BZ#681694Certain authentication policies do not allow passwords which contain long continuoussequences such as “abcd” or “98765”. This update introduces the possibility to limit themaximum length of these sequences by using the new maxsequence option.

BZ#732050Certain authentication policies require support for locking of an account that is not used for acertain period of time. This enhancement introduces an additional function to the pam_lastlog module, which allows users to lock accounts after a configurable number ofdays.

BZ#769694On a system with multiple tmpfs mounts, it is necessary to limit their size to prevent them fromoccupying all of the system memory. This update allows to specify the maximum size and someother options of the tmpfs file system mount when using the tmpfs polyinstantiation method.

All pam users are advised to upgrade to these updated packages, which contain backported patches tocorrect these issues and add these enhancements.

6.172. parted

6.172.1. RHBA-2013:0407 — parted bug fix and enhancement updateUpdated parted packages that fix three bugs are now available for Red Hat Enterprise Linux 6.

The parted packages provide a disk partitioning and partition resizing program to create, destroy, resize,move and copy ext2, linux-swap, FAT, FAT32, and reiserfs partitions.


308




Bug Fixes

BZ#797979Prior to this update, the parted program did not handle unexpected values in the HFS+filesystem correctly. As a consequence, parted aborted with a segmentation fault. This updateadds additional checks for unexpected values to the HFS+ code. Now, parted no longer abortswhen handling unexpected values.

BZ#803108Prior to this update, the parted program re-synchronized only the first 16 partitions on dmdevices. As a consequence, all partitions after the 16th only appeared after reboot. This updatemodifies the underlying code to resynchronize all of the partitions. Now, new partitions alsoappear without a reboot.

All parted users are advised to upgrade to these updated packages, which fix these bugs.

6.173. pciutils

6.173.1. RHBA-2013:0380 — pciutils bug fix and enhancement updateUpdated pciutils packages that fix several bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The pciutils packages provide various utilities for inspecting and manipulating devices connected to thePeripheral Component Interconnect (PCI) bus.


The pciutils packages have been upgraded to upstream version 3.1.10, which provides severalminor bug fixes and enhances support of PCI Express devices over the previous version.(BZ#826112)

Users of pciutils are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.174. pcre

6.174.1. RHBA-2012:1240 — pcre bug fix releaseUpdated pcre packages that fix four bugs are now available for Red Hat Enterprise Linux 6.

The pcre packages provide the Perl-compatible regular expression (PCRE) library.

Bug FixesBZ#756105

Prior to this update, matching patterns with repeated forward reference failed to match if the firstcharacter was not repeated at the start of the matching text. This update modifies the matchingalgorithm not to expect the first character again. Now, patterns with repeated forwardreferences match as expected.


309






BZ#7594 75Prior to this update, case-less patterns in UTF-8 mode did not match characters at the end ofinput text with encoding length that was shorter than the encoding length of character in thepattern, for example "/ⱥ/8i".This update modifies the pcre library to count the length of matchedcharacters correctly. Now, case-less patterns match characters with different encoding lengthcorrectly even at the end of an input string.

BZ#799003Prior to this update, manual pages for the pcre library contained misprints. This update modifiesthe manual pages.

BZ#84 2000Prior to this update, applications that were compiled with the libpcrecpp library from the pcreversion 6 could not been executed against libpcrecpp library from the pcre version 7 becausethe application binary interface (ABI) was mismatched. This update adds the compat RE::Init()function for the pcre version 6 to the pcre version 7 libpcrecpp library. Applications that werecompiled on Red Hat Enterprise Linux 5 and use the RE::Init function can now be executed onRed Hat Enterprise Linux 6.

All users of pcre are advised to upgrade to these updated packages, which fix these bugs.

6.175. pcsc-lite

6.175.1. RHSA-2013:0525 — Moderate: pcsc-lite security and bug fix updateUpdated pcsc-lite packages that fix one security issue and three bugs are now available for Red HatEnterprise Linux 6.


PC/SC Lite provides a Windows SCard compatible interface for communicating with smart cards, smartcard readers, and other security tokens.

Security Fix

CVE-2010-4 531A stack-based buffer overflow flaw was found in the way pcsc-lite decoded certain attributevalues of Answer-to-Reset (ATR) messages. A local attacker could use this flaw to executearbitrary code with the privileges of the user running the pcscd daemon (root, by default), byinserting a specially-crafted smart card.

Bug Fixes

BZ#7884 74 , BZ#814 54 9Due to an error in the init script, the chkconfig utility did not automatically place the pcscd init


310







script after the start of the HAL daemon. Consequently, the pcscd service did not startautomatically at boot time. With this update, the pcscd init script has been changed to explicitlystart only after HAL is up, thus fixing this bug.

BZ#834 803Because the chkconfig settings and the startup files in the /etc/rc.d/ directory were not changedduring the update described in the RHBA-2012:0990 advisory, the user had to update thechkconfig settings manually to fix the problem. Now, the chkconfig settings and the startup filesin the /etc/rc.d/ directory are automatically updated as expected.

BZ#891852Previously, the SCardGetAttrib() function did not work properly and always returned the"SCARD_E_INSUFFICIENT_BUFFER" error regardless of the actual buffer size. This updateapplies a patch to fix this bug and the SCardGetAttrib() function now works as expected.

All users of pcsc-lite are advised to upgrade to these updated packages, which fix these issues. Afterinstalling this update, the pcscd daemon will be restarted automatically.

6.176. perl-GSSAPI

6.176.1. RHBA-2012:1340 — perl-GSSAPI bug fix updateUpdated perl-GSSAPI packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The perl-GSSAPI packages provide Perl extension for GSSAPIv2 access.

Bug Fix

BZ#657274Prior to this update, the perl-GSSAPI specification file used a krb5-devel file which wasremoved. As a consequence, the perl-GSSAPI package could not be rebuilt. This updatemodifies the specification file to use the current krb5-devel files.

All users of perl-GSSAPI are advised to upgrade to these updated packages, which fix this bug.

6.177. perl-IPC-Run3

6.177.1. RHBA-2012:1440 — perl-IPC-Run3 bug fix updateUpdated perl-IPC-Run3 packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The perl-IPC-Run3 packages provide a module to run subprocesses and redirect the stdin, stdout, andstderr functionalities to files and perl data structures. The perl-IPC-Run3 package allows to use system,qx, and open3 modules with a simple API.

Bug FixBZ#6574 87

Prior to this update, binary perl-IPC-Run3 packages failed to build if the perl-T ime-HiRes


311







module was not installed. This update adds the perl-T ime-HiRes package to the build-timedependencies for perl-IPC-Run3.

BZ#870089Prior to this update, tests that called the IP-Run3 profiler failed when the internal perl-IPC-Run3test suite was used. This update, adds run-time dependencies on perl(Getopt::Long) andperl(T ime::HiRes) to the perl-IPC-Run3 package because certain IP-Run3 functions require theperl modules. Now, the IPC-Run3 profiler runs as expected.

All users of perl-IPC-Run3 are advised to upgrade to these updated packages, which fix these bugs.

6.178. perl-IPC-Run

6.178.1. RHBA-2012:1336 — perl-IPC-Run bug fix updateUpdated perl-IPC-Run packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The perl-IPC-Run packages provide a mechanism for Perl scripts to interact with child processes.

Bug FixBZ#85684 0

Prior to this update, the IO::Pty Perl module was not loaded when using the command"IPC::Run::harness" with the ">pty>" argument if the perl-IO-Tty package was not installed. As aconsequence, the Perl code failed. This update adds a perl-IO-Tty dependency to the perl-IPC-Run packages.

All users of perl-IPC-Run are advised to upgrade to these updated packages, which fix this bug.

6.179. perl-SOAP-Lite

6.179.1. RHBA-2012:1388 — perl-SOAP-Lite bug fix updateAn updated perl-SOAP-Lite package that fixes one bug is now available for Red Hat Enterprise Linux 6.

SOAP::Lite is a collection of Perl modules, which provides a simple and lightweight interface to the SimpleObject Access Protocol (SOAP) both on client and server side.

Bug FixBZ#74 8376

XMLRPC requests could fail if the MOD_PERL environment value was defined. The standardread() function is now used instead of the sysread() function when MOD_PERL is defined. As aresult, XMLRPC no longer fails in this scenario.

All users of perl-SOAP-Lite are advised to upgrade to this updated package, which fixes this bug.

6.180. perl-Sys-Virt


312






6.180.1. RHBA-2013:0377 — perl-Sys-Virt bug fix and enhancement updateUpdated perl-Sys-Virt packages that fix several bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The perl-Sys-Virt packages provide application programming interfaces (APIs) to manage virtualmachines from Perl with the libvirt library.


The perl-Sys-Virt package has been upgraded to upstream version 0.10.2, which provides anumber of enhancements over the previous version. (BZ#836955)

Bug Fixes

BZ#84 8309Previously, the Perl binding was setting an incompatible flag for the set_blkio_parameters()function. Consequently, it was impossible to use this function to apply block tuning. Theincorrect flag has been removed and set_blkio_parameters() can now be used as expected.

BZ#861581Prior to this update, an incorrect string length was used when setting hash keys, and thusnames of certain hash keys were truncated. The correct string lengths were provided for hashkeys and the hash keys for the get_node_memory_stats() function now match theirdocumentation.

BZ#865310When setting memory parameters, the set_node_memory_parameters() function was trying toalso update some read-only values. Consequently, set_node_memory_parameters() alwaysreturned an error message. To fix this bug, the method has been changed to only setparameters, and set_node_memory_parameters() now works as expected.

BZ#869130Previously, the API documentation contained formatting errors. This update provides correctionof the API documentation, which formats the documentation correctly.

BZ#873203Due to missing default values for parameters in the pm_suspend_for_duration() andpm_wakeup() functions, callers of the API had to supply the parameters even though they weresupposed to be optional. With this update, the default values have been added to thesefunctions, which now succeed when called.

BZ#882829Prior to this update, mistakes were present in the Plain Old Documentation (POD) for thelist_all_volumes() parameters, which could mislead users. The documentation has beenupdated and, for list_all_volumes() now describes the API usage correctly.


313








BZ#883775Previously, an incorrect class name was used with the list_all_nwfilters() function.Consequently, the objects returned from list_all_nwfilters() could not be used. Now, the objectname has been fixed and the list_all_nwfilters() function works as expected.

BZ#886028When checking return value of the screenshot() and current_snapshot() functions, a wrongdata type was assumed. Consequently, certain errors were not handled properly andapplications could eventually terminate unexpectedly. With this update, API errors are correctlyhandled in screenshot() and current_snapshot(), and the applications no longer crash.

Users of perl-Sys-Virt are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.181. perl

6.181.1. RHBA-2013:0444 — perl bug fix updateUpdated perl packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The perl packages provide the high-level programming language Perl, which is commonly used forsystem administration utilities and web programming.

Bug Fix

BZ#72064 4Prior to this update, computed Perl strings became corrupted or the interpreter could abortwhen a string with the "x" operator was repeated more than 2^31 times, for example, "my $s ="a' x (2**31+1);". This limits the right side of the "x" operator to 2^31 to prevent it from wrappingthe internal representation of the count.

All users of perl are advised to upgrade to these updated packages, which fix this bug.

6.182. php

6.182.1. RHSA-2013:0514 — php bug fix and enhancement updateUpdated php packages that fix several bugs and add various enhancements are now available for RedHat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact.Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, areavailable for each vulnerability from the CVE link(s) associated with each description below.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Security Fixes

CVE-2011-1398It was found that PHP did not check for carriage returns in HTTP headers, allowing intended


314







HTTP response splitting protections to be bypassed. Depending on the web browser the victimis using, a remote attacker could use this flaw to perform a HTTP response splitting attacks.

CVE-2012-2688An integer signedness issue, leading to a heap-based buffer underflow, was found in the PHPscandir() function. If a remote attacker could upload an excessively large number of files to adirectory the scandir() function runs on, it could cause the PHP interpreter to crash or, possibly,execute arbitrary code.

CVE-2012-0831It was found that PHP did not correctly handle the magic_quotes_gpc configuration directive. Aremote attacker could use this flaw to disable the option, which may make it easier to performSQL injection attacks.

Bug Fixes

BZ#771738Prior to this update, if a negative array index value was sent to the var_export() function, thefunction returned an unsigned index ID. With this update, the function has been modified toprocess negative array index values correctly.

BZ#812819Previously, the setDate(), setISODate() and setTime() functions did not work correctlywhen the corresponding DateTime object was created from the timestamp. This bug has beenfixed and the aforementioned functions now work properly.

BZ#824 199Previously, a segmentation fault occurred when PDOStatement was reused after failing due tothe NOT NULL integrity constraint. This occurred when the pdo_mysql driver was in use. Withthis update, a patch has been introduced to fix this issue.

BZ#83354 5Prior to this update, the dependency of the php-mbstring package on php-common packageswas missing an architecture-specific requirement. Consequently, attempts to install or patchphp-common failed on machines with php-mbstring installed. With this update, the architecture-specific requirement has been added and php-common can now be installed withoutcomplications.

BZ#836264Previously, the strcpy() function, called by the extract_sql_error_rec() function in theunixODBC API, overwrote a guard variable in the pdo_odbc_error() function.Consequently, a buffer overflow occurred. This bug has been fixed and the buffer overflow nolonger occurs.

BZ#84 8186, BZ#868375Under certain circumstances, the $this object became corrupted, and behaved as a non-


315









object. A test with the is_object() function remained positive, but any attempt to access amember variable of $this resulted in the following warning:

Notice: Trying to get property of non-object

This behavior was caused by a bug in the Zend garbage collector. With this update, a patchhas been introduced to fix garbage collection. As a result, $this no longer becomes corrupted.

BZ#858653Previously, the Fileinfo extension did not use the stat interface from the stream wrapper.Consequently, when used with a stream object, the Fileinfo extension failed with the followingmessage:

file not found

With this update, the Fileinfo extension has been fixed to use the stream wrapper's statinterface. Note that only the file and phar stream wrappers support the stat interface in PHP5.3.3.

BZ#859371When the DISABLE_AUTHENTICATOR parameter of the imap_open() function was specified asan array, it ignored the array input. Consequently, a GSSAPI warning was shown. This bug hasbeen fixed and DISABLE_AUTHENTICATOR now processes the array input correctly.

BZ#864 951Previously, a PHP script using the ODBC interfaces could enter a deadlock when the maximumexecution time period expired while it was executing an SQL statement. This occurred becausethe execution timer used a signal and the invoked ODBC functions were not re-entered. Withthis update, the underlying code has been modified and the deadlock is now less likely to occur.

Enhancements

BZ#806132, BZ#824 293This update adds the php-fpm package, which provides the FastCGI Process Manager.

BZ#83704 2With this update, a php(language) virtual provide for specifying the PHP language version hasbeen added to the php package.

BZ#874 987Previously, the php-xmlreader and php-xmlwriter modules were missing virtual provides.With this update, these virtual provides have been added.

All users of php are advised to upgrade to these updated packages, which fix these bugs and add theseenhancements.


316






6.183. piranha

6.183.1. RHBA-2013:0351 — piranha bug fix and enhancement updateUpdated piranha packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

Piranha provides high-availability and load-balancing services for Red Hat Enterprise Linux. The piranhapackages contain various tools to administer and configure the Linux Virtual Server (LVS), as well as theheartbeat and failover components. LVS is a dynamically-adjusted kernel routing mechanism thatprovides load balancing, primarily for Web and FTP servers.

Bug Fixes

BZ#857917The IPVS timeout values in the Piranha web interface could be reset whenever the GlobalSettings page was visited. As a consequence, if the Transmission Control Protocol (TCP)timeout, TCP FIN timeout, or User Datagram Protocol (UDP) timeout values had been set, thesevalues could be erased from the configuration file. This bug has been fixed and all IPVS timeoutvalues are preserved as expected.

BZ#860924Previously, the Piranha web interface incorrectly displayed the value "5" for a virtual serverinterface. With this update, the Piranha web interface properly displays the interface associatedwith a virtual server.

All users of piranha are advised to upgrade to these updated packages, which fix these bugs.

6.184. pki-core

6.184.1. RHSA-2013:0511 — Moderate: pki-core security, bug fix andenhancement updateUpdated pki-core packages that fix multiple security issues, two bugs, and add various enhancementsare now available for Red Hat Enterprise Linux 6.


Red Hat Certificate System is an enterprise software system designed to manage enterprise public keyinfrastructure (PKI) deployments. PKI Core contains fundamental packages required by Red HatCertificate System, which comprise the Certificate Authority (CA) subsystem.

Security Fix

CVE-2012-4 54 3Note: The Certificate Authority component provided by this advisory cannot be used as astandalone server. It is installed and operates as a part of Identity Management (the IPAcomponent) in Red Hat Enterprise Linux.

Multiple cross-site scripting flaws were discovered in Certificate System. An attacker could usethese flaws to perform a cross-site scripting (XSS) attack against victims using Certificate


317





System's web interface.

Bug Fixes

BZ#84 1663Previously, due to incorrect conversion of large integers while generating a new serial number,some of the most significant bits in the serial number were truncated. Consequently, the serialnumber generated for certificates was sometimes smaller than expected and this incorrectconversion in turn led to a collision if a certificate with the smaller number already existed in thedatabase. This update removes the incorrect integer conversion so that no serial numbers aretruncated. As a result, the installation wizard proceeds as expected.

BZ#84 4 4 59The certificate authority used a different profile for issuing the audit certificate than it used forrenewing it. The issuing profile was for two years, and the renewal was for six months. Theyshould both be for two years. This update sets the default and constraint parameters in thecaSignedLogCert.cfg audit certificate renewal profile to two years.

Enhancements

BZ#858864IPA (Identity, Policy and Audit) now provides an improved way to determine that PKI is up andready to service requests. Checking the service status was not sufficient. This update createsa mechanism for clients to determine that the PKI subsystem is up using the getStatus()function to query the cs.startup_state in CS.cfg.

BZ#891985This update increases the default root CA validity period from eight years to twenty years.

All users of pki-core are advised to upgrade to these updated packages, which fix these issues and addthese enhancements.

6.185. plymouth

6.185.1. RHBA-2013:0321 — plymouth bug fix and enhancement updateUpdated plymouth packages that fix multiple bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The plymouth packages provide a graphical boot animation in place of the text messages that arenormally displayed. Text messages are instead redirected to a log file for viewing after boot.


318





The plymouth packages have been upgraded to upstream version 0.8.3, which provides anumber of bug fixes and enhancements over the previous version. (BZ#853207)

All users of plymouth are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.186. pm-utils

6.186.1. RHBA-2012:1094 — pm-utils bug fix updateUpdated pm-utils packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The pm-utils packages contain a set of utilities and scripts for tasks related to power management.

Bug FixBZ#800630

Prior to this update, the RPM description contained wrong product names. This update removesall wrong information.

All users of pm-utils are advised to upgrade to these updated packages, which fix this bug.

6.187. policycoreutils

6.187.1. RHBA-2013:0396 — policycoreutils bug fix and enhancement updateUpdated policycoreutils packages that fix several bugs and add two enhancements are now available forRed Hat Enterprise Linux 6.

The policycoreutils packages contain the policy core utilities that are required for basic operation ofSELinux. These utilities include load_policy to load policies, setfiles to label file systems, newrole toswitch roles, and run_init to run /etc/init.d scripts in the proper context.

Bug Fixes

BZ#8164 60, BZ#885527Previously, when the policycoreutils-gui utility was used to add an SELinux policy for a socketfile, policycoreutils-gui failed with a traceback. This bug has been fixed, policycoreutils-gui nowsucceeds, and the SELinux policy is now added in this scenario.

BZ#824 779Due to a bug in the code, when the restorecon utility failed, it returned the success exit code.This bug has been fixed and restorecon now returns appropriate exit codes.

BZ#84 3727When multiple type accesses from the same role occurred, the audit2allow utility producedpolicy files that could not be parsed by the checkmodule compiler. With this update, audit2allow


319







produces correct policy files which can be compiled by checkmodule.

BZ#876971The restorecond init script allows to use the "reload" operation. Previously, the usage messageproduced by restorecond did not mention the operation. The operation has been added to theusage message, which is now complete.

BZ#882862Prior to this update, the audit2allow utility produced a confusing output when one of the severalprocessed AVCs could be allowed by a boolean, as it was not clear which AVC the messagewas related to. The layout of the output has been corrected and the audit2allow output nolonger causes confusion.

BZ#893065Due to a regression, the vdsm package failed to be installed on Red Hat Enterprise Linux 6.4 ifSELinux was disabled. A patch which enables the vdsm installation has been provided.

Enhancements

BZ#834 160A new function to the semanage utility has been implemented. Now, the user is able to noticethat a specified file context semanage command is wrong and an appropriate error message isreturned.

BZ#8514 79With this update, the restorecon utility now returns a warning message for paths for which adefault SELinux security context is not defined in the policy.

Users of policycoreutils are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.188. powerpc-utils

6.188.1. RHBA-2013:0384 — powerpc-utils bug fix and enhancement updateUpdated powerpc-utils packages that fix multiple bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The powerpc-utils packages provide various utilities for the PowerPC platform.


320





The powerpc-utils packages have been upgraded to upstream version 1.2.13, which provides anumber of bug fixes and enhancements over the previous version, including support for physicalEthernet devices. The snap and hvcsadmin scripts now use the "use strict" construct to preventa Perl interpreter from allowing usage of unsafe constructs, such as symbolic references,undeclared variables and using strings without quotation marks. The snap script now alsoenables to add a hostname and timestamp to its output file name by specifying the "-t" option.(BZ#822656)

Bug Fixes

BZ#739699The bootlist command is used to read and modify the bootlist in NVRAM so that a system canboot from the correct device. Previously, when using a multipath device as a boot device, thebootlist command used its Linux logical name. However, Open Firmware, which is used on IBMPOWER systems, is unable to parse Linux logical names. Therefore booting from a multipathdevice on IBM POWER systems failed. This update modifies the bootlist script so that bootlistnow supports multipath devices as a parameter. The script converts Linux logical names ofmultipath devices to the path names that are parsable by Open Firmware. Booting from amultipath device on IBM POWER systems now succeeds as expected.

BZ#85784 1Previously, the "hvcsadmin -status" command did not provide any output if no IBM hypervisorvirtual console server (hvcs) adapters were found on the system. This update corrects thehvcsadmin script so that when executing the "hvcsadmin -status" command, the user can nowsee a message indicating that no hvcs adapters were found.

BZ#870212The lsdevinfo script did not previously take into consideration the "status" attribute for Ethernetdevices. This attribute is essential for the End-to-End Virtual Device View feature so the featuredid not work without it. This update modifies lsdevinfo so the script now also checks the statusof Ethernet devices and sets the status attribute to 1. The End-to-End Virtual Device Viewfeature now works as expected.

All users of powerpc-utils are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.189. ppc64-diag

6.189.1. RHBA-2013:0382 — ppc64-diag bug fix and enhancement updateUpdated ppc64-diag packages that fix several bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The ppc64-diag packages provide diagnostic tools for Linux on the 64-bit PowerPC platforms. Theplatform diagnostics write events reported by the firmware to the service log, provide automatedresponses to urgent events, and notify system administrators or connected service frameworks about


321


the reported events.


The ppc64-diag packages have been upgraded to upstream version 2.5.0, which provides anumber of bug fixes and enhancements over the previous version. (BZ#822653)

Bug Fixes

BZ#833619Previously, the GARD functionality could fail to "gard out" a CPU that was being deconfiguredon a logical partition (LPAR) if a predictive CPU failure was received. Consequently, the CPUcould not be deconfigured. This was caused by incorrect behavior of the SIGCHLD signalhandler, which under certain circumstances performed cleanup on a pipe child process that hadalready exited. This update modifies the underlying source code so that the SIGCHLD signalhandler is reset to the default action before a pipe is open and set up again after the pipe isclosed. The CPU is now correctly "garded out" and deconfigured as expected in this scenario.Also, vital product data (VPD) extraction from the lsvpd command did not work correctly. Thishas been fixed by correcting the lsvpd_init() function, and VPD is now obtained as expected.

BZ#878314The diag_encl command was previously enhanced with a comparison feature. The featurerequires the /etc/ppc64-diag/ses_pages directory to be created on ppc64-diag installation.However, the ppc64-diag spec file was not modified accordingly so that the required directorywas not created when installing the ppc64-diag packages. Consequently, the comparisonfeature of the diag_encl command did not work. This update corrects the ppc64-diag spec fileso that the /etc/ppc64-diag/ses_pages directory is now created as expected, and thecomparison feature works properly.

All users of ppc64-diag are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.190. procps

6.190.1. RHBA-2012:1463 — procps bug fix updateUpdated procps packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The procps packages provide a set of system utilities to provide system information using the /proc filesystem. The procps package includes the free, pgrep, pkill, pmap, ps, pwdx, skill, slabtop, snice, sysctl,tload, top, uptime, vmstat, w, and watch utilities.

Bug FixesBZ#851664

Prior to this update, the 'si' and 'so' values were always zero for "m" or "M" units. This wascaused by an arithmetic precision loss in the expressions used for the calculations. Thisupdate modifies the expressions to avoid precision losses.


322


BZ#875077Prior to this update, the vmstat tool could be terminated unexpectedly raising the SIGFPEexception when the total sum of 'us', 'sy', 'id', 'wa' and 'st' values returned by the kernel waszero. This situation could only appear on certain specific platforms. this update modifies theinternal evaluation so that the vmstat tool is more robust and does no longer terminate.

All users of procps are advised to upgrade to these updated packages, which fix these bugs.

6.191. pykickstart

6.191.1. RHBA-2013:0507 — pykickstart bug fix and enhancement updateUpdated pykickstart packages that fix four bugs and add one enhancement are now available for RedHat Enterprise Linux 6.

The pykickstart packages contain a python library for manipulating kickstart files.

Bug Fixes

BZ#823856, BZ#832688, BZ#8374 4 0Previously, when using the volgroup command with the --useexisting option without specifyingthe physical volume (PV), the system installation failed with the following message:

volgroup must be given a list of partitions

With this update, the library scripts have been set to check if the PVs are defined prior to theinstallation. In case of undefined PVs, the scripts raise a warning message to notify the user.

BZ#815573Previously, the kickstart command options marked as deprecated were not allowed to carry avalue. Consequently, a kickstart file containing a deprecated command option with an assignedvalue, such as --videoram="value", could not be validated. The ksvalidator tool terminated withthe following message:

--videoram option does not take a value

With this update, the deprecated options have been allowed to take values and the error nolonger occurs in the aforementioned scenario.

Enhancement

BZ#84 3174The "autopart", "logvol", "part", and "raid" commands can now take the --cipher option tospecify the encryption algorithm to be used for encrypting devices. If this option is not provided,the installer will use the default algorithm.

All users of pykickstart are advised to upgrade to these updated packages, which fix these bugs andadd this enhancement.


323







6.192. PyQt4

6.192.1. RHBA-2012:1241 — PyQt4 bug fix updateUpdated PyQt4 packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The PyQt4 packages contain python bindings for Qt4.

Bug FixesBZ#7574 11

Prior to this update, the PyQt4 utility did not contain the deleteResource method ofPyQt4.QtNetwork.QNetworkAccessManager. This update modifies the underlying code toinclude the missing qnetwork-deleteResource method.

BZ#821061Prior to this update, the PyQt4 utility did not contain the QMenuBar.setCornerWidget method.This update modifies the underlying code to include the missing qmenubar-cornerWidgetmethod.

All users of PyQt4 are advised to upgrade to these updated packages, which fix these bugs.

6.193. python-ethtool

6.193.1. RHBA-2013:0454 — python-ethtool bug fix and enhancement updateUpdated python-ethtool packages that fix four bugs and add one enhancement are now available forRed Hat Enterprise Linux 6.

The python-ethtool package makes the ethtool kernel interface available within the Python programmingenvironment to allow querying and changing of Ethernet card settings, such as speed, port, auto-negotiation, and PCI locations.

Bug Fixes

BZ#692028With this update, a typographical error has been corrected in the output of the "pethtool --help"command.

BZ#698125Prior to this update, a memory leak occurred when the get_active_devices() andget_interfaces_info() functions were called repeatedly. This bug has been fixed and thememory leak no longer occurs in the described scenario.

BZ#714 753Due to a bug in the command-line parser, the pifconfig utility did not accept an interface as anargument if specified on the command line. Consequently, the utility displayed all interfacesrather than just information about the specified interface as was expected. The bug in theparser has been fixed and pifconfig now correctly parses passed arguments.


324








BZ#759150Previously, if one network interface controller (NIC) had more IP addresses, only the firstaddress was reported multiple times. With this update, the get_ipv4_addresses() method hasbeen implemented to report all IP addresses on the NIC.

Enhancement

BZ#698192With this update, support for devices configured with IPv6 has been added to the pifconfig utility.

All users of python-ethtool are advised to upgrade to these updated packages, which fix these bugs andadd this enhancement.

6.194. python-nss

6.194.1. RHBA-2013:0405 — python-nss bug fix and enhancement updateUpdated python-nss packages that fix several bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The python-nss packages provide bindings for Network Security Services (NSS) that allow Pythonprograms to use the NSS cryptographic libraries for SSL/TLS and PKI certificate management.


The python-nss packages have been upgraded to upstream version 0.13, which provides anumber of bug fixes and enhancements over the previous version. (BZ#827616)

Bug Fixes

BZ#698663On the 64-bit architecture, the setup_certs.py script contained an incorrect path to thelibnssckbi.so library. As a consequence, the script attempted to run the "modutil -dbdir pki -addca_certs -libfile /usr/lib/libnssckbi.so" command and failed with an error, because on thisarchitecture, the libnssckbi.so library is located in the /usr/lib64/ directory. This update allowsthe modutil command-line utility to find the libnssckbi.so module based on its knowledge of thesystem.

BZ#796295When setting Basic Constraints for a CA certificate, the python-nss package failed with thefollowing message:

cannot decode Basic Constraints

This was because of an incorrect format specifier, which is now fixed and python-nss no longerfails in this scenario.


325





Enhancement

BZ#64 2795The python-nss package has been updated to add support for PKCS#12 files.

Users of python-nss are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.195. python-paste

6.195.1. RHBA-2013:0472 — python-paste bug fix updateAn updated python-paste package that fixes one bug is now available for Red Hat Enterprise Linux 6.

Python Paste provides middleware for building and running Python web applications.

Bug Fix

BZ#783158Previously, the auth_tkt plugin used MD5 checksums, which are not FIPS (Federal InformationProcessing Standard) compliant. Consequently, when FIPS compliance mode was active on thesystem, auth_tkt failed. The auth_tkt plugin has been set to use Secure Hash Algorithm (SHA)256, which is FIPS-compliant, instead of MD5 checksums. As a result, auth-tkt no longer fails inthis situation.

All users of python-paste are advised to upgrade to this updated package, which fixes this bug.

6.196. python-psycopg2

6.196.1. RHBA-2013:0327 — python-psycopg2 bug fix and enhancement updateUpdated python-psycopg2 packages that fix multiple bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The python-psycopg2 packages provide a PostgreSQL database adapter for the Python programminglanguage (like pygresql and popy). The main advantages of psycopg2 are that it supports the full PythonDBAPI-2.0 and that it is thread safe at level 2.


The python-psycopg2 packages have been upgraded to upstream version 2.0.14, which providesa number of bug fixes and enhancements over the previous version, including the fix for amemory leak in cursor handling. This update also ensures better compatibility with thePostgreSQL object-relational database management system version 8.4. (BZ#765998)

Bug Fixes

BZ#711095


326






Prior to this update, a copy operation terminated unexpectedly if a second thread in a singleapplication triggered the Python garbage collection while the copy operation was in progress.This update adds the appropriate object reference count adjustments to the code.

BZ#84 3723Prior to this update, object reference counting could, under certain circumstances, causeassertion failures in Python. This update modifies the underlying code to avoid these failures.

All users of psycopg2 are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.197. python-rhsm

6.197.1. RHBA-2013:0371 — python-rhsm bug fix and enhancement updateUpdated python-rhsm packages that fix several bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The python-rhsm packages contain a library for communicating with the representational state transfer(REST) interface of Red Hat's subscription and content service. This interface is used by theSubscription Management tools for management of system entitlements, certificates, and access tocontent.


The python-rhsm packages have been upgraded to upstream version 1.1.7, which provides anumber of bug fixes and enhancements over the previous version. (BZ#860306)

Enhancement

BZ#7904 81This enhancement allows the opportunity to add the value of the subscription-manager versionto the X-HTTP header field.

All users of python-rhsm are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.198. python-rtslib

6.198.1. RHBA-2013:0466 — python-rtslib bug fix updateAn updated python-rtslib package that fixes one bug is now available for Red Hat Enterprise Linux 6.

The python-rtslib package provides a Python library to configure the kernel target subsystem, using theconfigfs file system.

Bug Fix


327






BZ#838759Previously, it was possible to create more than one "fileio" backstore with the same backing file.This behavior could lead to data loss. This update prevents "fileio" backstores from using thesame backing store.

All users of python-rtslib are advised to upgrade to this updated package, which fixes this bug.

6.199. python

6.199.1. RHBA-2013:0437 — python bug fix updateUpdated python packages that fix several bugs are now available for Red Hat Enterprise Linux 6.

Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl,Scheme, or Java. Python includes modules, classes, exceptions, very high level dynamic data types anddynamic typing. Python supports interfaces to many system calls and libraries, as well as to variouswindowing systems (X11, Motif, Tk, Mac and MFC).

Bug Fixes

BZ#70794 4Previously, applying the python-2.6.5-ctypes-noexecmem patch caused thectypes.CFUNCTYPE() function to allocate memory in order to avoid running the process in aSELinux domain with the execmem permission. When this allocation process forked withoutusing the exec() function (for example in a multi-processing module), the state of the allocatorwas shared between parent and child processes. This shared state caused unpredictableinteractions between the processes, potentially leading to segmentation faults or lack oftermination of a multiprocessing workload. With this update, python-2.6.5-ctypes-noexecmemhas been reverted, and the unpredictable behavior no longer occurs. In addition, Pythonprograms are now required to run within a SELinux domain with execmem permissions.

BZ#814 391Prior to this update, any usage of the ctypes module (such as via the "uuid" module used bythe Django application framework) triggered the ctypes.CFUNCTYPE() function on moduleimport. Consequently, if the process was missing SELinux permissions, AVC denial messageswere returned. This bug has been fixed, and SELinux permissions are now required only inrelevant cases of ctypes usage, such as passing a Python callable to a C callback.

BZ#81084 7, BZ#84 174 8In certain cases, enabled C-level assertions caused the python library to fail when building validPython code. Consequently, code containing four or more nested "IF" statements within a listcomprehension or generator expression failed to compile. Moreover, an error occurred whenformatting certain numpy objects. With this update, the C-level assertions have beendeactivated and the aforementioned problems no longer occur.

BZ#833271As part of the fix for CVE-2012-0876, a new symbol ("XML_SetHashSalt") was added to thesystem libexpat library, which Python standard library uses in the pyexpat module. If anunpatched libexpat.so.1 was present in a directory listed in LD_LIBRARY_PATH, then attempts


328







to use the pyexpat module (for example from yum) would fail with an ImportError exception. Thisupdate adds an RPATH directive to pyexpat to ensure that libexpat is used by pyexpat,regardless of whether there is an unpatched libexpat within the LD_LIBRARY_PATH, thuspreventing the ImportError exception.

BZ#8354 60Due to a bug in the Python logging module, the SysLogHandler class continued to send logmessage against a closed connection. Consequently, an infinite loop occurred whenSysLogHandler was used together with the Eventlet library. The bug has been fixed, and thedescribed issue no longer occurs.

All users of python are advised to upgrade to these updated packages, which fix these bugs.

6.200. python-virtinst

6.200.1. RHBA-2013:0463 — python-virtinst bug fix and enhancement updateUpdated python-virtinst package that fixes one bug and adds two enhancements is now available forRed Hat Enterprise Linux 6.

The python-virtinst package contains several command-line utilities, including virt-install for building andinstalling new virtual machines, and virt-clone for cloning existing virtual machines.

Bug Fix

BZ#834 4 95Prior to this update, executing the "virt-install --cpuset=auto" command led to a backtrace, andthe optimal configuration of the "cpuset" string was not formed. With this update, a patch hasbeen backported from upstream and the described error no longer occurs.

Enhancements

BZ#803631With this update, Red Hat Enterprise Linux 7 has been added to the list of known Linuxdistributions in both the virt-manager and virt-install utilities.

BZ#832339Previously, the virt-install utility supported only the first security label listed in the libvirtcapabilities. With this update, support for more labels has been added.

All users of python-virtinst are advised to upgrade to this updated package, which fixes this bug andadds these enhancements.

6.201. qemu-kvm

6.201.1. RHBA-2013:0539 — qemu-kvm bug fix update


329





Updated qemu-kvm packages that fix one bug are now available for Red Hat Enterprise Linux 6.

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64systems that is built into the standard Red Hat Enterprise Linux kernel. The qemu-kvm packages formthe user-space component for running virtual machines using KVM.

Bug Fix

BZ#908396Previously, a guest using the e1000 network adapter could do auto-negotiation during asystem reset when the link_down flag was set. Consequently, after the reset, the guest networkwas unavailable. A patch has been provided to address this bug and the guest can nowconnect to the network after a system reset in the described scenario.

All users of qemu-kvm are advised to upgrade to these updated packages, which fix this bug.

6.201.2. RHBA-2013:0527 — qemu-kvm bug fix and enhancement updateUpdated qemu-kvm packages that fix several bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64systems that is built into the standard Red Hat Enterprise Linux kernel. The qemu-kvm packages formthe user-space component for running virtual machines using KVM.


The QEMU guest agent (qemu-ga) provided by the qemu-guest-agent package has beenupdated to upstream version 1.1, which provides a number of bug fixes and enhancements overthe previous version including the following notable changes:

This update provides persist tracking of the state of the fsfreeze command using the filesystem so that the qemu-ga daemon is aware of the fsfreeze state even if the daemon dies oris restarted.The guest-fsfreeze-thaw command has been allowed to run unconditionally so that the qemu-ga daemon is still able to thaw the file system even if the daemon dies or is restarted.The qemu-qa daemon has been modified to read the /proc/self/mounts file instead of re-reading the /etc/mtab file when the guest-fsfreeze-thaw command is performed on the frozenfile system. With this change, the daemon avoids an attempt to change the atime timestamp ofthe /etc/mtab file, which would be blocked.The guest-suspend-disk and guest-suspend-ram commands can now be used to suspend toRAM or to disk on a Windows system.This update fixes a memory leak in the Windows communication code.The guest-network-get-interfaces command can now be used to acquire network interfaceinformation in Linux.This update provides file system freeze support improvements and fixes.

Besides the above-mentioned important changes, this update also includes variousdocumentation fixes and small improvements. (BZ#827612)

Bug Fixes


330




BZ#866736In the SVVP (Server Virtualization Validation Program) environment, when the e1000 networkdriver was used, the PCI Hardware Compliance Test For Systems job failed. Consequently, theHCK (Hardware Certification Kit) SVVP certification could not be passed on the system. A patchhas been provided to address this issue and the test now passes as expected in the describedscenario.

BZ#887897The dynamic hard disk uses the Virtual Hard Disk (VHD) format, and the size of the data offsetin its header is 64 bits. Although Microsoft's VHD specification allows initialization of only thefirst 32 bits, Microsoft Windows VHD images initialize all 64 bits. QEMU previously initializedonly the first 32 bits in the VPC code. Consequently, the VHD images generated by the qemu-img utility may not have been recognized in some environments (for example Microsoft Hyper-vvirtualization) and by some tools (for example vhd-util). This update modifies QEMU to initializeall 64 bits of the data offset field in the header of the dynamic disks. Images in VHD formatgenerated by qemu-img are now accepted by Microsoft Hyper-V virtualization and can bemounted successfully using the Mount-VHD command.

BZ#85114 3With some initial guest OS installations using the QXL driver and VNC as the display protocol,virtual machines were terminating unexpectedly with a segmentation fault during setup andreturned the "lost connection with kvm process" error message. A patch has been provided toaddress this issue and virtual machines now run properly in the described scenario.

BZ#821692When migrating a guest with the HDA audio device from the host using a newer version ofQEMU than the version used by the target host, the migration failed. This was caused by arecent change of the live migration format for the HDA audio device which was not recognizedby the older version of QEMU. This update addresses this issue and modifies QEMU to allowsending the data in the old migration format by using the "-M $oldversion" option. The livemigration now succeeds in this scenario.

BZ#733720The initial APIC ID was not set with the correct topology bits when the number of CPU cores orthreads was not a power of 2. As a consequence, CPU topology (assignment of CPU cores andthreads to CPU sockets) visible to the guest was incorrect. With this update, the underlyingcode has been modified so that the initial APIC ID is set as expected in this scenario and theguest is now able to obtain the correct CPU topology.

BZ#689665Previously, qemu-kvm defined an incorrect CPU level for certain CPU models, such as Intel Core2 Duo P9xxx (Penryn Class Core 2), Intel Celeron_4x0 (Conroe/Merom Class Core 2), and IntelCore i7 9xx (Nehalem Class Core i7). Consequently, the guest system was unable to obtain anyadditional information about the CPU topology and was able to provide only the CPU level twotopology information (package and thread information). This update corrects the underlyingcode to define the CPU level to be the level four for the aforementioned CPU models so that theguest now can obtain expected CPU topology information.

BZ#831708


331





When creating a virtual machine (VM) using the "-spice" command line option with the"streaming-video=" sub-option which was assigned an invalid value, the incorrect value wasignored and the VM was successfully created with the default value. This update corrects thisbehavior, and if the "streaming-video" sub-option is given an invalid value, an attempt to createa VM fails and qemu-kvm exits gracefully.

BZ#852083Previously, virtual Performance Monitoring Unit (vPMU) pass-through mode was enabled bydefault on the Intel Xeon Processor E5-XXXX model in qemu-kvm. This could pose a problemwhen performing a live migration of virtual machines to a new host with less PMU counters thanthe original host had. The guest expected the same set of PMU counters and could terminateunexpectedly due to an attempt to use the non-existing PMU counters. With this update, vPMUpass-through mode has been disabled for the Intel Xeon Processor E5-XXXX model in QEMUon Red Hat Enterprise Linux 6.4 and can only be enabled when using the "-cpu host" option.The guest can no longer crash during live migration in this scenario on Red Hat EnterpriseLinux 6.4, however, to keep backward compatibility of live migration, QEMU keeps the oldbehavior on Red Hat Enterprise Linux 6.3.

BZ#819915When sending multi-descriptor packets, QEMU emulation of the e1000 NIC previously loadedthe packet options field (POPTS) for every data descriptor. This was in conflict with the e1000specification that requires the POPTS field to be ignored with exception of the first datadescriptor of the packet. As a consequence, performance of the emulated e1000 NIC was verypoor when working with multi-descriptor packets. With this update, QEMU emulation of e1000has been corrected so it now behaves in accordance with the specification and POPTS isloaded only for the first data descriptor of the packet. Performance of the emulated e1000 NICfulfills the user's expectations when processing multi-descriptor packets.

BZ#854 528In VGA mode, SPICE previously used dirty page tracking mechanism to determine which screenareas needed to be updated. Screen areas that had to be updated were tracked with scanlinegranularity so that even small updates resulted in huge loads of data to be sent. This had asignificant impact on SPICE performance in VGA mode. This update modifies SPICE to keep themost recent copy of the screen content that was sent to the SPICE client. The copy is used todetermine the exact areas of the screen that need to be updated, and only those pieces arenow updated instead of whole scanlines. SPICE performance in VGA mode has increased asexpected.

Enhancements

BZ#84 3084Red Hat Enterprise Linux 6.4 adds support for Intel's next-generation Core processor to qemu-kvm so that KVM guests can utilize the new features this processor provides, the mostimportant of which are: Advanced Vector Extensions 2 (AVX2), Bit-Manipulation Instructions 1(BMI1), Bit-Manipulation Instructions 2 (BMI2), Hardware Lock Elision (HLE), RestrictedTransactional Memory (RTM), Process-Context Identifier (PCID), Invalidate Process-ContextIdentifier (INVPCID), Fused Multiply-Add (FMA), Big-Endian Move instruction (MOVBE), FSegment and G Segment BASE instruction (FSGSBASE), Supervisor Mode ExecutionPrevention (SMEP), Enhanced REP MOVSB/STOSB (ERMS).


332



BZ#767233Red Hat Enterprise Linux 6.4 supports merging of external snapshots into a backing file chainwhile the guest is live. Merging snapshots into the backing file chains is often faster, and fitscertain workflows better than forward streaming. Snapshot data resides in the backing filespecified for the merge, and merged snapshots can then be removed.

BZ#805172KVM now supports live migration of guests with USB devices. The following devices aresupported: Enhanced Host Controller Interface (EHCI) and Universal Host Controller Interface(UHCI) local passthrough and emulated devices such as storage devices, mice, keyboards,hubs, and others.

BZ#838126The AMD Opteron 4xxx series processor is now supported by qemu-kvm. This allows the newfeatures of this processor series to be exposed to KVM guests, such as: the F16C instructionset, Trailing Bit Manipulation, BMI1 decimate functions, and the Fused Multiply-Add (FMA)instruction set.

BZ#852665With this update, the e1000 driver has been modified to flush the receive queue whenever it isreplenished. Also, whenever the receive queue is emptied, the drivers now notify the I/O threadto repoll the file descriptor. This improvement significantly decreases the guest's latency.

BZ#861331KVM now supports live migration of guests using USB forwarding via SPICE, while maintainingexisting USB device redirection for all configured devices.

BZ#835101When both host and guest systems are updated to Red Hat Enterprise Linux 6.4 or newer,interrupt-intensive workloads, such as incoming network traffic with a virtio network device, havethe number of context switches between the VM and the hypervisor optimized. This significantlyreduces CPU utilization of the host.

BZ#801063This update allows a sound device to be detected as a microphone or a speaker in the guestsystem (in addition to being detected as line-in and line-out). Sound devices can now functionproperly in guest applications that accept only certain types of input for voice recording andaudio.

BZ#854 191The QEMU user was previously unable to control the time delay before SeaBIOS rebooted aguest if no bootable device was found. This update enables the QEMU user to control the bootprocess of the guest by adding a new boot option, "-boot reboot-timeout=T", where T is thedelay time in milliseconds. The option allows QEMU to transfer the /etc/boot-fail-waitconfiguration file to SeaBIOS and set the reboot timeout. The user can even prevent SeaBIOSfrom rebooting the guest by setting the reboot-timeout option to "-1", which is the default value.


333






Users of qemu-kvm are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.202. ql2400-firmware

6.202.1. RHBA-2013:0402 — ql2400-firmware bug fix and enhancement updateAn updated ql2400-firmware package that fixes multiple bugs and adds various enhancements is nowavailable for Red Hat Enterprise Linux 6.

The ql2400-firmware package provides the firmware required to run the QLogic 2400 Series of massstorage adapters.


This update upgrades the ql2400 firmware to upstream version 5.08.00, which provides anumber of bug fixes and enhancements over the previous version. (BZ#826665)

All users of QLogic 2400 Series Fibre Channel adapters are advised to upgrade to this updatedpackage, which fixes these bugs and adds these enhancements.

6.203. ql2500-firmware

6.203.1. RHBA-2013:0403 — ql2500-firmware bug fix and enhancement updateAn updated ql2500-firmware package that fixes multiple bugs and adds various enhancements is nowavailable for Red Hat Enterprise Linux 6.

The ql2500-firmware package provides the firmware required to run the QLogic 2500 Series of massstorage adapters.


This update upgrades the ql2500 firmware to upstream version 5.08.00., which provides anumber of bug fixes and enhancements over the previous version. (BZ#826667)

All users of QLogic 2500 Series Fibre Channel adapters are advised to upgrade to this updatedpackage, which fixes these bugs and adds these enhancements.

6.204. qt

6.204.1. RHBA-2012:1246 — qt bug fix updateUpdated qt packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The qt packages contain a software toolkit that simplifies the task of writing and maintaining GUI(Graphical User Interface) applications for the X Window System.


334




Bug FixesBZ#678604

Prior to this update, the mouse pointer could, under certain circumstances, disappear whenusing the IRC client Konversation. This update modifies the underlying codes to reset thecursor on the parent and set the cursor on the new window handle. Now, the mouse pointer nolonger disappears.

BZ#84 7866Prior to this update, the high precision coordinates of the QTabletEvent class failed to handlemultiple Wacom devices. As a consequence, only the device that was loaded first workedcorrectly. This update modifies the underlying code so that multiple Wacom devices are handledas expected.

All users of qt are advised to upgrade to these updated packages, which fix this bugs.

6.205. quota

6.205.1. RHBA-2012:1472 — quota bug fix updateUpdated quota packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.

The quota packages contain a suite of system administration tools for monitoring and limiting user andgroup disk usage on file systems.

Bug FixesBZ#680919

Prior to this update, warnquota sent emails from <[email protected]> if the quota limit wasexceeded and the warnquota tool was enabled to send warning emails and the defaultwarnquota configuration was not changed. As a consequence, users could wrongly reply to thisaddress and email bounces were delivered to the mailbox of <[email protected]>. This updatemodifies the default warnquota configuration to use the reserved domain "example.com".

BZ#683554Prior to this update, the option "-r" for setquota and edquota failed to set the grace times forNFS-mounted file systems without reporting errors because the underlying remote procedurecall protocol does not support this option. This update disables the option "-r". With this update,the option to set grace times over the network is disabled and error messages are sent whenusing the "-r" option.

BZ#692390Prior to this update, the quotacheck tool could mishandle UIDs in processed fsv1 quota files if auser's block limit was reached. This update zeroes uninitialized padding in the "v2r1 ddquot"structure before running subsequent checks.

BZ#704 216Prior to this update, the edquota tool could abort with a segmentation fault if the name serverswitch was configured to use the libdb back end. This update modifies the underlying code tomake the "dirname" symbol in edquota sources static to avoid pollution of the symbol name


335






space confusing the dynamic linker. Now, edquota runs on systems which use the Berkeley DB(BDB) database for storing user names, group names, or passwords.

BZ#730057Prior to this update, the quota_nld service logged the error message "Failed to find tty of [UID]to report warning to" when users without an interactive session exceeded the disk quota limitwhile running quota_nld service. This update applies these warnings to non-daemon debuggingmode of quota_nld only.

BZ#770307Prior to this update, the warnquota tool sent a badly worded email message. This updatechanges the wording and the text is now worded more representative.(

All users of quota are advised to upgrade to these updated packages, which fix these bugs.

6.206. rdesktop

6.206.1. RHBA-2012:1276 — rdesktop bug fix updateUpdated rdesktop packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.

The rdesktop packages provide a client for the Remote Desktop Server in Microsoft Windows. Therdesktop client uses the Remote Desktop Protocol (RDP) to remotely present a user's desktop.

Bug FixesBZ#680917, BZ#772020

Prior to this update, redundant conversions functions did not handle the PC/SC (PersonalComputer/Smart Card) integration correctly. As a consequence, the rdesktop on AMD64 andIntel 64 platforms failed to connect and incorrectly. This update removes these redundantfunctions. This update also adds smart card reader support for AMD64 and Intel 64 platforms.Now, the rdesktop connects as expected.

BZ#680926Prior to this update, the rdesktop code for smart card integration with PC/SC caused a bufferoverflow on AMD64 and Intel 64 platforms. As a consequence, the glibc function "free()" wasaborted with a segmentation fault. This update uses the correct structure and the glibc function"free()" works now as expected.

BZ#7824 94Prior to this update, the server generated a cursor-related command that the rdesktop client didnot support when using rdesktop to connect to Windows Server 2008 R2 platforms. As aconsequence, the mouse pointer was all black. With this update, the mouse pointer is drawncorrectly when connecting to Windows Server 2008 R2.

BZ#820008Prior to this update, the specification file incorrectly listed the libao-devel package as an installdependency for rdesktop. This update removes the libao-devel dependency from the


336





specification file.

BZ#831095Prior to this update, the rdesktop client did not handle the licenses correctly, As a consequence,certain Terminal Services failed to connect after the first connection with the error message"disconnect: Internal licensing error". This update modifies the underlying code to handlelicenses as expected. Now, Terminal Services connect as expected.

All users of rdesktop are advised to upgrade to these updated packages, which fix these bugs.

6.207. rdma

6.207.1. RHSA-2013:0509 — Low: rdma security, bug fix and enhancement updateUpdated RDMA packages that fix multiple security issues, various bugs, and add an enhancement arenow available for Red Hat Enterprise Linux 6.


Red Hat Enterprise Linux includes a collection of InfiniBand and iWARP utilities, libraries anddevelopment packages for writing applications that use Remote Direct Memory Access (RDMA)technology.

Security Fixes

CVE-2012-4 517A denial of service flaw was found in the way ibacm managed reference counts for multicastconnections. An attacker could send specially-crafted multicast packets that would cause theibacm daemon to crash.

CVE-2012-4 518It was found that the ibacm daemon created some files with world-writable permissions. A localattacker could use this flaw to overwrite the contents of the ibacm.log or ibacm.port file, allowingthem to mask certain actions from the log or cause ibacm to run on a non-default port.

CVE-2012-4518 was discovered by Florian Weimer of the Red Hat Product Security Team and KurtSeifried of the Red Hat Security Response Team.

The InfiniBand/iWARP/RDMA stack components have been upgraded to more recent upstream versions.

Bug Fixes

BZ#818606Previously, the "ibnodes -h" command did not show a proper usage message. With this updatethe problem is fixed and "ibnodes -h" now shows the correct usage message.

BZ#822781


337




Previously, the ibv_devinfo utility erroneously showed iWARP cxgb3 hardware's physical stateas invalid even when the device was working. For iWARP hardware, the phys_state field has nomeaning. This update patches the utility to not print out anything for this field when thehardware is iWARP hardware.

BZ#834 4 28Prior to the release of Red Hat Enterprise Linux 6.3, the kernel created the InfiniBand devicefiles in the wrong place and a udev rules file was used to force the devices to be created in theproper place. With the update to 6.3, the kernel was fixed to create the InfiniBand device files inthe proper place, and so the udev rules file was removed as no longer being necessary.However, a bug in the kernel device creation meant that, although the devices were now beingcreated in the right place, they had incorrect permissions. Consequently, when users attemptedto run an RDMA application as a non-root user, the application failed to get the necessarypermissions to use the RDMA device and the application terminated. This update puts a newudev rules file in place. It no longer attempts to create the InfiniBand devices since they alreadyexist, but it does correct the device permissions on the files.

BZ#84 7129Previously, using the "perfquery -C" command with a host name caused the perfquery utility tobecome unresponsive. The list of controllers to process was never cleared and the processlooped infinitely on a single controller. A patch has been applied to make sure that in the casewhere the user passes in the -C option, the controller list is cleared out once that controller hasbeen processed. As a result, perfquery now works as expected in the scenario described.

BZ#862857The OpenSM init script did not handle the case where there were no configuration files under"/etc/rdma/opensm.conf.*". With this update, the script as been patched and the InfiniBandSubnet Manager, OpenSM, now starts as expected in the scenario described.

Enhancement

BZ#869737This update provides an updated mlx4_ib Mellanox driver which includes Single Root I/OVirtualization (SR-IOV) support.

All users of RDMA are advised to upgrade to these updated packages, which fix these issues and addthis enhancement.

6.208. redhat-lsb

6.208.1. RHBA-2013:0448 — redhat-lsb bug fix and enhancement updateUpdated redhat-lsb packages that fix several bugs and add an enhancement are now available for RedHat Enterprise Linux 6.

Linux Standards Base (LSB) provides a set of standards that increases compatibility among Linuxdistributions. The redhat-lsb packages provide utilities needed for LSB compliant applications. It alsocontains requirements that ensure that all components required by LSB are installed on the system.


338


Bug Fixes

BZ#709016Previously, the redhat-lsb-core subpackage was missing from the redhat-lsb packages.Consequently, a large number of unnecessary dependencies was pulled in when redhat-lsbwas required. This update provides redhat-lsb-core, which has minimal requirements, thuspreventing this bug.

BZ#84 4 602An inaccurate brand name was used in the redhat-lsb package description. This update fixesthe description.

BZ#833058Previously, the /etc/lsb-release file specified in the lsb_release man page was missing from theredhat-lsb packages. This update adds this file, which provides information about LSB modulesinstalled on the system.

Enhancement

BZ#801158It is now possible to install LBS subpackages, such as redhat-lsb-core, redhat-lsb-c++, redhat-lsb-graphics, or redhat-lsb-printing, separately without having to install the redhat-lsb packagewith all dependencies that might be unnecessary on a system.

Users of redhat-lsb are advised to upgrade to these updated packages, which fix these bugs and addthis enhancement.

6.209. redhat-release

6.209.1. RHEA-2013:0379 — redhat-release enhancement update for Red HatEnterprise Linux 6.4Enhanced redhat-release packages are now available for Red Hat Enterprise Linux 6.4.

The redhat-release package contains licensing information regarding, and identifies the installed versionof, Red Hat Enterprise Linux.

These updated redhat-release packages reflect changes made for the release of Red Hat EnterpriseLinux 6.4.

Users of Red Hat Enterprise Linux 6 are advised to upgrade to these updated redhat-release packages,which add this enhancement.

6.210. redhat-rpm-config

6.210.1. RHBA-2013:0460 — redhat-rpm-config bug fix and enhancement updateUpdated redhat-rpm-config packages that fix two bugs and add two enhancements are now available for


339





Red Hat Enterprise Linux 6.

The redhat-rpm-config packages are used during the build of RPM packages to apply various defaultdistribution options determined by Red Hat. It also provides a few Red Hat RPM macro customizations,such as those used during the building of Driver Update packages.

Bug Fixes

BZ#795577The kmodtool script is a helper script for building kernel module RPMs. Previously, the "verrel"parameter in the kmodtool script returned the kernel version and variant string with a danglingsign ("."). With this update, the dangling sign has been removed from the "verrel" output.

BZ#822073The "brp-java-repack-jars" script was unable to correctly handle certain Java Archive (JAR)files. Those files set permissions on "exploded" directory hierarchies to non-standardpermissions modes, such as "0000". With this update, standard user permissions are setcorrectly on the "exploded" directory hierarchy, which prevents certain errors from occurring,such as being unable to remove the directory tree when it is necessary to do so.

Enhancements

BZ#669638Previously, the number of parallel compilation jobs suggested by the %_smp_mflags macro waslimited to maximum of 16 CPUs. This update introduces the %_smp_ncpus_max macro, whichmakes the CPU limit adjustable.

BZ#869062Previously, the /usr/lib/rpm/redhat/rpmrc file contained a leftover "macrofiles" line, which isignored by later versions of RPM. With this update, the aforementioned line has been removedfrom rprmc to avoid confusion.

All users of redhat-rpm-config are advised to upgrade to these updated packages, which fix these bugsand add these enhancements.

6.211. Red Hat Enterprise Linux Release Notes

6.211.1. RHEA-2013:0439 — Red Hat Enterprise Linux 6.4 Release NotesUpdated packages containing the Release Notes for Red Hat Enterprise Linux 6.4 are now available.

Red Hat Enterprise Linux minor releases are an aggregation of individual enhancement, security andbug fix errata. The Red Hat Enterprise Linux 6.4 Release Notes documents the major changes made tothe Red Hat Enterprise Linux 6 operating system and its accompanying applications for this minorrelease. Detailed notes on all changes in this minor release are available in the Technical Notes.

Refer to the Online Release Notes for the most up-to-date version of the Red Hat Enterprise Linux 6.4Release Notes:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-


340



https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.4_Release_Notes/index.html

single/6.4_Release_Notes/index.html

Note

Starting with the 6.4 release of the online Release Notes, the "Device Drivers" chapter has beenmoved to the online Technical Notes:https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Technical_Notes/ch-device_drivers.html

6.212. resource-agents

6.212.1. RHBA-2013:0288 — resource-agents bug fix and enhancement updateUpdated resource-agents packages that fix several bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The resource-agents packages contain a set of scripts to interface with several services to operate in aHigh Availability (HA) environment for both the Pacemaker and rgmanager service managers.

Bug Fixes

BZ#714 156Previously, the status action in the netfs interface failed to write any output to the /var/log/cluster/rgmanager.log file. Consequently, it was not possible to verify if thestatus check of an NFS mount was successful. The bug has been fixed, and results of thestatus check are now properly stored in the log file.

BZ#728365For HA-LVM to work properly, the /boot/initrd.img file, which is used during the bootprocess, must be synchronized with the /etc/lvm/lvm.conf file. Previously, the HA-LVMstartup failed when lvm.conf was changed without updating initrd.img. With this update,this behavior has been modified. A warning message is now displayed, but the startup is nolonger terminated in the described case.

BZ#729812Prior to this update, occasional service failures occurred when starting the clvmd variant of theHA-LVM service on multiple nodes in a cluster at the same time. The start of an HA-LVMresource coincided with another node initializing that same HA-LVM resource. With this update,a patch has been introduced to synchronize the initialization of both resources. As a result,services no longer fail due to the simultaneous initialization.

BZ#817550When the oracledb.sh script was called with the status argument, it restarted the databaseafter checking its status without any notification to the rgmanager application. This bug hasbeen fixed, and the unwanted restart no longer occurs.

BZ#82224 4Previously, the /usr/sbin/tomcat-6.sh script parsed configuration files and set shell variables


341

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Technical_Notes/ch-device_drivers.html






before starting the Apache Tomcat 6 servlet container. Consequently, the default configurationwas ignored. This bug has been fixed and the aforementioned problem no longer occurs.

BZ#839181Previously, an output of HA-LVM commands that contained more than one word, was notcorrectly parsed. Consequently, starting an HA-LVM service with the rg_test commandoccasionally failed with the following message:

too many arguments

With this update, the underlying source code has been modified to add quotation marks aroundvariables that expand to more than one word. As a result, the aforementioned startup errors nolonger occur.

BZ#84 7335If the contents of the /proc/mounts file changed during a status check operation of the filesystem resource agent, the status check could incorrectly detect a missing mount and mark theservice as failed. This bug has been fixed and rgmanager's file system resource agent nolonger reports false failures in the described scenario.

BZ#84 864 2Previously, rgmanager did not recognize CIFS (Common Internet File System) mounts in casetheir corresponding entries in the device field of the /proc/mounts file contained trailingslashes. With this update, a patch has been introduced to remove trailing slashes from devicenames when reading the contents of /proc/mounts. As a result, CIFS mounts are nowrecognized properly.

BZ#85324 9Prior to this update, when running a file system depending on an LVM resource in a service,and that LVM resource failed to start, the subsequent attempt to unregister the file systemresource failed. This bug has been fixed, and a file system resource can now be successfullyunregistered after a failed mount operation.

BZ#860328Previously, when using the HA-LVM resource agent in the Pacemaker cluster environment,several errors and failed actions occurred. With this update, several scripts have been added toprevent these errors. These scripts repair the treatment of whitespace within HA-LVM and theprocessing of non-zero codes in rgmanager. In addition, the member_util utility has beenupdated to use Corosync and Pacemaker when rgmanager is not present on the system.

BZ#860981Previously, when a node lost access to the storage device, HA-LVM was unable to deactivatethe volume group for the services running in that node. The underlying source code has beenmodified to allow services to migrate to other machines that still have access to storagedevices, thus preventing this bug.

BZ#869695Previously, SAP instances started by the SAPInstance cluster resource agent inherited limits


342


on system resources for the root user. Higher limits were needed on the maximum number ofopen files (ulimit -n), the maximum stack size (ulimit -s), and the maximum size of datasegments (ulimit -d). With this update, the SAPInstance agent has been modified toaccept limits specified in the /usr/sap/services file. As a result, system resources limitscan now be specified manually.

Enhancements

BZ#7734 78With this update, the /usr/share/cluster/script.sh resource, used mainly by the rgmanagerapplication, has been enhanced to provide more informative reports on causes of internalerrors.

BZ#822053With this update, the nfsrestart option has been added to both the fs and clusterfsresource agents. This option provides a way to forcefully restart NFS servers and allow a cleanunmount of an exported file system.

BZ#834 293The pacemaker SAPInstance and SAPDatabase resource agents have been updated withthe latest upstream patches.

BZ#84 304 9A new prefer_interface parameter has been added to the rgmanager ip.sh resourceagent. This parameter is used for adding an IP address to a particular network interface when acluster node has multiple active interfaces with IP addresses on the same subnetwork.

All users of resource-agents are advised to upgrade to these updated packages, which fix these bugsand add these enhancements

6.213. rgmanager

6.213.1. RHBA-2013:0409 — rgmanager bug fix updateUpdated rgmanager packages that fix several bugs are now available for Red Hat Enterprise Linux 6.

The rgmanager packages contain the Red Hat Resource Group Manager, which allows to create andmanage high-availability server applications in the event of system downtime.

Bug Fixes

BZ#825375Due to an unlocked access to internal DBus data structures from different rgmanager threads,rgmanager could terminate unexpectedly inside dbus library functions when running rgmanagerwithout the "-q" flag (set as default). The underlying source code has been modified andrgmanager no longer fails in this situation.


343




BZ#831658Previously, rgmanager preferred two nodes in a three-nodes cluster, which caused the thirdnode being unused. The configuration has been changed and rgmanager now uses all nodesin the cluster as expected.

BZ#83334 7Previously, the cpglockd init script was not included in the chkconfig configuration file. Thisupdated adds cpglockd in this file.

BZ#853251Resource Group Manager fails to stop a resource if it is located on an unmounted file system.As a result of this failure, rgmanager treated the resource as missing and marked theappropriate service as failed, which prevented the cluster from recovering the service. Thisupdate allows rgmanager to ignore this error if a resource has not been previously started witha service. The service can now be properly started on a different host.

BZ#861157When rgmanager received a remote start message for a particular service while already in theprocess of starting that service locally, a deadlock could occur. This sometimes happenedduring the recovery of a service that had failed its start operation. This bug has been fixed andrgmanager works as expected.

BZ#879031When a service is configured with a recoverable resource, such as nfsclient, a failure of thatclient correctly triggers the recovery function. However, even if recovery operation wassuccessful, rgmanager still stopped and recovered the service. The underlying source codehas been modified and rgmanager no longer stops successfully recovered clients.

All users of rgmanager are advised to upgrade to these updated packages, which fix these bugs.

6.214. rhn-client-tools

6.214.1. RHBA-2013:0388 — rhn-client-tools bug fix and enhancement updateUpdated rhn-client-tools packages that fix several bugs and add one enhancement are now available forRed Hat Enterprise Linux 6.

Red Hat Network Client Tools provide utilities for connecting to and receiving content from Red HatNetwork.

Bug Fixes

BZ#784 964If a system used multiple network interfaces, the Satellite server might have discovered adifferent IP address from the one the user used to connect to Red Hat Network. This causedRed Hat Network to display incorrect information in the web UI. The underlying source code hasbeen modified, so that the correct IP is now discovered and also the correct informationdisplayed in the web UI.


344



BZ#84 2834Multiple-server failover did not work properly; a socket error could occur when multiple serverswere configured. This update ensures that the user can configure additional servers to try if thefirst option fails.

BZ#815695Previously, the rhn-channel utility could ignore configured proxy servers when used with certainoptions, for example, "--available channels". This problem has been fixed and the specifiedproxy servers are used as expected in this scenario.

BZ#81164 1Due to a bug in the source code, the rhn_register utility could throw a traceback duringregistration if a USB device was connected in the system. The bug has been fixed, and Red HatNetwork registrations work correctly in this scenario.

BZ#839791Previously, the rhn-profile-sync utility exited with an incorrect exit code if an error occurred. Thisupdate ensures that rhn-profile-sync exits with the correct exit code.

BZ#823551Previously, the firstboot and rhn_register GUIs displayed confusing or conflicting informationthat did not reflect changes to Subscription Manager. The text has been updated to be clearerand specific.

BZ#830776The rhn_check utility failed with a traceback if another instance of rhn_check was running. Withthis update, if the user attempts to run rhn_check while another instance is running, anappropriate error message will be displayed.

BZ#810315An outdated example icon was displayed on the Set Up Software Update screen in firstboot.The icon has been replaced to provide an example that matches what users see on theirsystem.

BZ#839935Previously, attempting to subscribe to a non-existent channel using the rhn-channel utility failedwith a traceback. With this update, an informative error message appears in this scenario.

BZ#7864 22This update fixes a typo that previously existed in the text of the rhn_register user interface.

BZ#84 6359The rhn-channel utility did not properly parse certain methods used for specifying command-line options. As a consequence, rhn-channel could fail with a traceback. This update ensuresthat rhn-channel can properly parse various ways that options are commonly specified in bash.


345







BZ#851657Titles for some windows in the rhn_register GUI did not follow standard title capitalization; sometitles were lowercase. This update ensures that the titles are uppercase where appropriate.

BZ#878758When running the rhn_register utility, the "Enter your account information" page contained a linkpointing to a non-existing web page. The link has been fixed and now points to the correctpage.

Enhancement

BZ#859281The "-b" option can now be specified for the rhn-channel utility to display the current basechannel of the system.

All users of rhn-client-tools are advised to upgrade to these updated packages, which fix these bugsand add this enhancement.

6.215. ricci

6.215.1. RHBA-2013:0453 — ricci bug fix and enhancement updateUpdated ricci packages that fix several bugs and add one enhancement are now available for Red HatEnterprise Linux 6.

The ricci packages contain a daemon and a client for remote configuring and managing of clusters.

Bug Fixes

BZ#811702Prior to this update, if the ricci daemon was not running on all nodes, executing the "ccs --stopall" command caused an attribute error to occur. With this update, the code has been fixedand the error no longer occurs in the aforementioned scenario.

BZ#815752Previously, a segmentation fault occurred in both the ricci daemon and ccs_sync utility whenprocessing a larger cluster.conf file. This was caused by an insufficient thread stack size inricci. The ccs_sync utility terminated unexpectedly due to incorrect behavior of the PR_Writefunction. With this update, a patch has been introduced to fix both causes. As a result, thesegmentation fault no longer occurs.

BZ#877381Previously, a segmentation fault occurred in the ricci daemon when processing cluster.conf fileswith very large values. This was caused by allocating large amounts of memory not available onthe stack. With this update, a patch has been introduced to allocate memory on the heap andprovide an error if not enough memory is available. As a result, the segmentation fault no longeroccurs.


346







BZ#818335Previously, the "ccs_sync" command did not return a non-zero exit code if an error occurred orthe ricci daemon was not running, even when running the command with the "-w" option to exitwith a failure status if any warnings were issued. The underlying source code has beenmodified so that "ccs_sync" with the "-w" option now returns "1" on failure.

BZ#839039With this update, a minor typographical error has been fixed in the ccs error message related tobeing unable to start a node, possibly due to lack of quorum.

BZ#84 1288Previously, the "ccs --lsmisc" command did not properly display the alternate multicast address.The bug has been fixed, and the alternate multicast address is now reported correctly when --lsmisc is used.

BZ#867019Previously, the ccs program failed to generate certificates when running on a read-only NFS.This bug has been fixed and ccs now generates certificates regardless of the type of thecurrent working directory.

BZ#866894Previously, the ccs program incorrectly handled the cluster.conf file when adding a resource intothe file. Consequently, resulting cluster.conf was invalid. This bug has been fixed and ccs nowworks correctly in the described case.

BZ#84 2939Previously, the ricci daemon would not properly handle yum output when it was split overmultiple lines. Consequently, in certain circumstances the conga management system wasunable to list or install packages. This bug has been fixed and ricci now works correctly in thedescribed case.

Enhancement

BZ#878108The cluster schema has been updated to match the current Red Hat Enterprise Linux 6.4cluster packages.

All users of ricci are advised to upgrade to these updated packages, which fix these bugs and add thisenhancement.

6.216. rpcbind

6.216.1. RHBA-2013:0291 — rpcbind bug fix and enhancement updateUpdated rpcbind packages that fix two bugs and add one enhancement are now available for Red Hat


347







Enterprise Linux 6.

The rpcbind utility maps RPC (Remote Procedure Call) services to the ports on which the services listenand allows the host to make RPC calls to the RPC server.

Bug Fixes

BZ#813898Previously, the rpcbind(8) man page referred to rpcbind(3) for which no entry existed. Thisupdate adds the missing rpcbind(3) man page.

BZ#864 056Using Reverse Address Resolution Protocol (RARP) and the bootparams file for booting Solarisor SPARC machines did not work properly. The SPARC systems sent broadcast bootparamsWHOAMI requests, but the answer was never sent back by rpcbind. This bug has been fixedand rpcbind no longer discards the bootparams WHOAMI requests in the described scenario.

Enhancement

BZ#73154 2When using the rpcbind's insecure mode via the "-i" option, non-root local users are nowallowed to set and unset calls from remote hosts.

All users of rpcbind are advised to upgrade to these updated packages, which fix these bugs and addthis enhancement.

6.217. rpmdevtools

6.217.1. RHBA-2012:1313 — rpmdevtools bug fix updateUpdated rpmdevtools packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The rpmdevtools packages contain scripts and (X)Emacs support files to aid in development of RPMpackages.

Bug FixBZ#730770

Prior to this update, the sample spec files referred to a deprecated BuildRoot tag. The tag wasignored if it was defined. This update removes the BuildRoot tags from all sample spec files.

All users of rpmdevtools are advised to upgrade to these updated packages, which fix this bug.

6.218. rpm

6.218.1. RHBA-2013:0461 — rpm bug fix and enhancement updateUpdated rpm packages that fix several bugs and add two enhancements are now available for Red HatEnterprise Linux 6.


348





The RPM Package Manager (RPM) is a powerful command-line driven package management systemthat can install, uninstall, verify, query and update software packages.

Bug Fixes

BZ#664 696Previously, PGP keys were loaded even if they were not needed. Consequently, under certainconditions, RPM could not be opened. With this update, the PGP keys are loaded only whenneeded and RPM no longer fails to start.

BZ#727872The debuginfo packages contained only one symbolic link per build ID. When multiple identicalbinaries existed on the system, only one of them was linked. With this update, numberedsymbolic links are created instead.

BZ#7304 73Setting the %defattr macro in a package's spec file overrode the directory permissions given bythe %attr macro so that directories were created with incorrect permissions during installationof the package. This update modifies the underlying RPM code to prevent the %defattr macrofrom overriding the %attr macro. The directories are now created with the correct permissionsby RPM.

BZ#74 3229The value of the %_host macro was set to "x86_64-unknown-linux-gnu" by default. With thisupdate, the word "unknown" is replaced by "redhat" as is expected by several parts of the buildchain.

BZ#773503Previously, using the "rpmbuild" command caused the [patched].orig file to be created withoutany indication, which could confuse the user. This update modifies the underlying source codeso that rpmbuild no longer runs the patch utility with the "-s" command line option.

BZ#802839When a large package was sent to the standard input (stdin), the rpm2cpio utility terminated.With this update, the underlying source code has been modified and rpm2cpio works asexpected in this situation.

BZ#82514 7Previously, using the RPM API for parsing spec files caused macros defined in a spec file toremain in the RPM macro "environment" after the parsing routine exited. This behavior affectedthe parsing results if more than one spec file was parsed per process lifetime. To resolve theproblem, this update backports the reloadConfig() method from RPM 4.10's Python API. Multiplespec files can now be safely processed within a single process.

BZ#829621An attempt to import multi-key PGP armors caused the rpm utility to fail, which could lead tomemory corruption or RPM database corruption. With this update, rpm has been modified to


349








reject multi-key PGP armors. As a result, when importing multi-key PGP armors, the"unsupported=multikey packets/armors" error message is returned.

BZ#858731Due to the lack of DWARF 3 and 4 format support, the rpmbuild utility was not able to produceusable debug packages with newer compilers. This update adds the required support for thedebugedit utility to RPM, and DWARF 3 and 4 formats are now supported as expected.

BZ#869667Previously, RPM returned the 0 exit code even if the import of a PGP key failed. The underlyingsource code has been modified to fix this bug and RPM no longer returns 0 if key import fails.

BZ#804 04 9, BZ#84 5065This update contains several minor fixes and corrections in the rpm(8) manual page.

Enhancements

BZ#825087This enhancement improves RPM to support the dpkg-style tilde character ("~") in thepackage's version and the release string to signify lower priority in version comparison. Notethat this enhancement could affect packages that already have the tilde character in theirversion or release and the updated version of RPM do not work with packages that were builtwith an old RPM version.

BZ#839126, BZ#84 5063This update adds the description of the --eval, --setperms and --setugid parameters to therpm(8) manual page.

All users of rpm are advised to upgrade to these updated packages, which fix these bugs and add theseenhancements.

6.219. rsyslog

6.219.1. RHBA-2013:0450 — rsyslog bug fix updateUpdated rsyslog packages that fix three bugs are now available for Red Hat Enterprise Linux 6.

The rsyslog packages provide an enhanced, multi-threaded syslog daemon. Rsyslog supports MySQL,syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine grain outputformat control.

Bug Fixes

BZ#83814 8Prior to this update, the rsyslog packages depended on a newer selinux-policy which thersyslog spec file did not reflect. The command "yum --security update" updated rsyslog but notthe selinux-policy. As a consequence, rsyslog malfunctioned when booting and depending


350







services failed, including login. This update modifies the spec file to prevent installation with anincompatible selinux-policy package and enforce its update if available.

BZ#84 7568Prior to this update, the rule that was specified immediately before the "$IncludeConfig"directive to be reordered after the contents of the included configuration file due to handlingproblem with the configuration file parser. As a consequence, the order of processing wasdifferent from the intended one with the potential of message losses. This update modifies theunderlying code so that the order of processing is the same as in the configuration file.

BZ#886004Prior to this update, the Unix Socket Input plug-in for rsyslog did not consider the timestampformat specified by the RFC 5424 Syslog Protocol for timestamps derived from RFC 3339. As aconsequence, messages sent to the syslog daemon via Unix sockets that used the RFC 3339-derived timestamp format were silently discarded. This update supports this timestamp format.Messages sent to the rsyslog system logging daemon via Unix sockets that use the RFC 3339-derived timestamp format are now accepted and processed properly.

All rsyslog users are advised to upgrade to these updated packages, which fix these bugs.

6.220. s390utils

6.220.1. RHBA-2013:0395 — s390utils bug fix and enhancement updateUpdated s390utils packages that fix several bugs and add two enhancements are now available for RedHat Enterprise Linux 6.

The s390utils packages contain a set of user space utilities for Linux on IBM system z achitecture.

Bug Fixes

BZ#818599The internal parsing logic of the ziomon utility previously relied on a Bash shell construct whenidentifying multipath devices. Changes in later versions of Bash caused the parsing logic to notwork properly if the ziomon command was specified with more than one multipath device as anargument. Consequently, ziomon did not recognize all multipath devices and did not collectperformance data for the respective devices. With this update, ziomon has been modified to usea bash-independent construct in the parsing logic. The ziomon utility now correctly recognizesall multipath devices and provides performance data as expected.

BZ#818877Previously, the /etc/zipl.conf configuration file did not belong to any RPM package. This updatecorrects this problem and the /etc/zipl.conf file is now owned by the s390utils-base package.

BZ#82814 5The "lsdasd -h" command always incorrectly returned an exit code of 1. Also, the lsdasd(8)man page was missing information about the "-b, --base" option. With this update, the lsdasdutility has been corrected to return the exit code 0 on success when issued to print helpinformation. The lsdasd(8) man page has been updated and it now provides information on


351




usage of the "-b" option as expected.

BZ#82814 6Previously, the lsluns utility performed a SCSI generic (sg) functionality test before scanning foravailable LUNs or showing the attached LUNs. Consequently, the lsluns command failed anddid not display any available or attached LUNs if there was no SCSI device available. Thisupdate modifies lsluns to perform a LUN scan first and execute an sg functionality test only if atleast one SCSI device is found.

BZ#837311The lsluns utility performed a SCSI registration test immediately after adding LUN0 and WLUNto the unit_add file. However, SCSI devices are not available immediately after adding LUNs tounit_add so lsluns did not recognize that LUN0 and WLUN are available. The lsluns commandtherefore failed with the "Cannot attach WLUN / LUN0 for scanning" error message. Thisupdate modifies lsluns so that the SCSI registration test is now performed several timesallowing the SCSI mid-layer to complete SCSI device registration. The lsluns command nowsuccessfully displays LUNs as expected.

BZ#857815Due to the way the kernel maintains caches for block devices, running the zipl boot loadercould, under certain circumstances, lead to inconsistent cache contents in the first 4096 byteson an FBA DASD device (a direct-access storage device with a fixed block architecture). Thisupdate modifies zipl so that the boot loader flushes disk buffers before installing the initialprogram load (IPL), which prevents cache corruption from occurring on FBA DASD devices.

Enhancements

BZ#84 7087This update adds the necessary user space tools to allow Linux to access Storage ClassMemory (SCM) as a block device on IBM System z systems using sub-channels of theExtended Asynchronous Data Mover (EADM) Facility.

BZ#84 7088The lszcrypt utility has been modified to support the IBM Crypto Express 4 feature.

All users of s390utils are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.221. samba4

6.221.1. RHSA-2013:0506 — Moderate: samba4 security, bug fix andenhancement updateUpdated samba4 packages that fix one security issue, multiple bugs, and add various enhancementsare now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A


352


Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, isavailable for each vulnerability from the CVE link(s) associated with each description below.

Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet FileSystem (CIFS) protocol, which allows PC-compatible machines to share files, printers, and otherinformation.


The samba4 packages have been upgraded to upstream version 4.0.0, which provides a numberof bug fixes and enhancements over the previous version. In particular, improved interoperabilitywith Active Directory (AD) domains. SSSD now uses the libndr-krb5pac library to parse thePrivilege Attribute Certificate (PAC) issued by an AD Key Distribution Center (KDC).The Cross Realm Kerberos Trust functionality provided by Identity Management, which relies onthe capabilities of the samba4 client library, is included as a Technology Preview. Thisfunctionality and server libraries, is included as a Technology Preview. This functionality uses thelibndr-nbt library to prepare Connection-less Lightweight Directory Access Protocol (CLDAP)messages.Additionally, various improvements have been made to the Local Security Authority (LSA) and NetLogon services to allow verification of trust from a Windows system. Because the Cross RealmKerberos Trust functionality is considered a Technology Preview, selected samba4 componentsare considered to be a Technology Preview. For more information on which Samba packages areconsidered a Technology Preview, refer to Table 5.1, "Samba4 Package Support" in the ReleaseNotes. (BZ#766333, BZ#882188)

Security Fix

CVE-2012-1182A flaw was found in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler, used togenerate code to handle RPC calls. This could result in code generated by the PIDL compiler tonot sufficiently protect against buffer overflows.

Bug Fix

BZ#878564Prior to this update, if the Active Directory (AD) server was rebooted, Winbind sometimes failedto reconnect when requested by "wbinfo -n" or "wbinfo -s" commands. Consequently, lookingup users using the wbinfo tool failed. This update applies upstream patches to fix this problemand now looking up a Security Identifier (SID) for a username, or a username for a given SID,works as expected after a domain controller is rebooted.

All users of samba4 are advised to upgrade to these updated packages, which fix these issues and addthese enhancements. Warning: If you upgrade from Red Hat Enterprise Linux 6.3 to Red Hat EnterpriseLinux 6.4 and you have Samba in use, you should make sure that you uninstall the package named"samba4" to avoid conflicts during the upgrade.

6.222. samba


353

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Release_Notes/index.html





6.222.1. RHBA-2013:0338 — samba bug fix and enhancement updateUpdated samba packages that fix multiple bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

Samba is an open-source implementation of the Server Message Block (SMB) and Common Internet FileSystem (CIFS) protocol, which allows PC-compatible machines to share files, printers, and otherinformation.


The samba packages have been upgraded to upstream version 3.6, which provides a number ofbug fixes and enhancements over the previous version. In particular, support for the SMB2protocol has been added. SMB2 support can be enabled with the following parameter in the[global] section of the /etc/samba/smb.conf file:

max protocol = SMB2

Additionally, Samba now has support for AES Kerberos encryption. AES support has beenavailable in Microsoft Windows operating systems since Windows Vista and Windows Server2008. It is reported to be the new default Kerberos encryption type since Windows 7. Samba nowadds AES Kerberos keys to the keytab it controls. This means that other Kerberos basedservices that use the Samba keytab and run on the same machine can benefit from AESencryption. In order to use AES session keys (and not only use AES encrypted ticket grantingtickets), the Samba machine account in Active Directory's LDAP server needs to be manuallymodified. For more information, refer to the Microsoft Open Specifications Support Team Blog.Also note that several Trivial Database (TDB) files have been updated and printing support hasbeen rewritten to use the actual registry implementation. This means that all TDB files areupgraded as soon as you start the new Samba server daemon (smbd) version. You cannotdowngrade to an older Samba version unless you have backups of the TDB files. (BZ#649479)

Warning

The updated samba packages also change the way ID mapping is configured. Users are advisedto modify their existing Samba configuration files. For more information, refer to the ReleaseNotes for Samba 3.6.0, the smb.conf man page and the individual IDMAP backend man pages.If you upgrade from Red Hat Enterprise Linux 6.3 to Red Hat Enterprise Linux 6.4 and you haveSamba in use, you should make sure that you uninstall the package named samba4 to avoidconflicts during the upgrade.

Bug Fixes

BZ#760109Previously, the pam_winbind utility returned an incorrect PAM error code if the Winbindmodule was not reachable. Consequently, users were not able to log in even if another PAMModule authenticated the user successfully. With this update, the error PAM_USER_UNKNOWN isalways returned in case Winbind fails to authenticate a user. As a result, users successfullyauthenticated by another PAM module can log in as expected.

BZ#838893


354


http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx


https://www.samba.org/samba/history/samba-3.6.0.html


Samba 3.6 failed to migrate existing printers from the Trivial Database (TDB) to the registrydue to a Network Data Representation (NDR) alignment problem. Consequently, printers from3.5 could not be migrated and the Samba server daemon (smbd) stopped with an error. TheNDR parser has been fixed to correctly parse printing entries from Samba 3.5. As a result,printers are correctly migrated from 3.5 TDB to the 3.6 registry.

BZ#8664 12Due to a regression, the previous release changed the behavior of resolving domain localgroups and the Winbind daemon (winbindd) could not find them. The original behavior forresolving the domain local groups has been restored. As a result, the ID command resolvesdomain local groups in its own domain correctly again.

BZ#866570The net utility improperly displayed the realm which it had joined in all lowercase letters.Consequently, a user might misunderstand the domain join and might use the lowercase formatof the realm name. This update corrects the case and improves the wording of the messageprinted about a domain join. As a result, the user is correctly informed as to which DNS domainthe system has joined.

BZ#875879If a Domain Controller (DC) was rebuilding the System Volume (Sysvol) shared directory andturned off netlogon, users were not able to log in until it was finished, even if another workingDC was available. Consequently, users could not log in and got strange errors if netlogon wasavailable and then was turned off. With this update, Samba retries twice to open the netlogonconnection and if it still does not work the DC is added to the negative connection cache andSamba will failover to the next DC. As a result, the user no longer sees any error messages inthis scenario and can log in using another DC as expected.

Enhancements

BZ#74 84 07When joining an Active Directory domain and using Samba's support for using Kerberoskeytabs, AES Kerberos keys were not added into the generated keytab. Consequently, Sambadid not support the new AES encryption type for Kerberos. This update adds support for AESKerberos keys to Samba and AES Kerberos Keys are now created in the keytab during theDomain join.

Users of samba are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.223. scl-utils

6.223.1. RHBA-2013:0400 — scl-utils bug fix and enhancement updateUpdated scl-utils packages that fix multiple bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The scl-utils packages provide a runtime utility and RPM packaging macros for packaging Software


355





Collections. Software Collections allow users to concurrently install multiple versions of the same RPMpackages on the system. Using the scl utility, users may enable specific versions of RPMs, which areinstalled into the /opt directory.

BZ#855999The scl-utils packages have been upgraded to upstream version 20120927, which provides anumber of bug fixes and enhancements over the previous version. The following list includesnotable bug fixes:

The fix has been provided for a double free or corruption error when reading commandsfrom the standard input, which could have led to a segmentation fault under certaincircumstances.

The /usr/lib/rpm/redhat/brp-compress script now properly compresses man pages in%_mandir.

All users who require scl-utils are advised to upgrade to these updated packages, which fix these bugsand add these enhancements.

6.224. seabios

6.224.1. RHBA-2013:0307 — seabios bug fix and enhancement updateUpdated seabios packages that fix several bugs and add two enhancements are now available for RedHat Enterprise Linux 6.

The seabios packages contain an open-source legacy BIOS implementation which can be used as acoreboot payload. It implements the standard BIOS calling interfaces that a typical x86 proprietary BIOSimplements.

Bug Fixes

BZ#771616In the QXL-VGA drive, the ram_size and vram_size variables were set to a default value thatwas too high. Consequently, the guest was not able to boot, and the "VM status: paused(internal-error)" message was returned. This update uses extended addressing for PCIaddress space and the guest can now boot successfully.

BZ#839674Previously, the advertisement of S3 and S4 states in the default BIOS was disabled for which aseparate BIOS binary file had been created. This update enables users to configurate S3 andS4 states per virtual machine in seabios and thus, the extra BIOS binary file is no longernecessary. Now, a single binary is used to enable these states.

BZ#85124 5Prior to this update, the SeaBIOS component did not support the non-contiguous APIC IDs. Thisresulted in incorrect topology generation on SMP and NUMA systems; moreover, QEMU-KVMwas unable to run on some of the host systems. A patch has been provided to fix this bug andSeabios now supports the non-contiguous APIC IDs.

BZ#854 4 4 8


356






The seabios packages used the time-stamp counter (TSC) for timekeeping with a simplecalibration loop. As a consequence, on a busy host, the magnitude calibration could be setincorrectly and could lead to boot failures. This update provides the power management timer(PMT) with a fixed frequency, which does not suffer from calibration errors due to a loaded hostmachine. As a result, timeouts work correctly under all circumstances.

Enhancements

BZ#827500With this update, it is possible to configurate S3 and S4 states per virtual machine.

BZ#831273The seabios packages are now able to reboot a VM even if no bootable device can be found.

Users of seabios are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.225. selinux-policy

6.225.1. RHBA-2013:0537 — selinux-policy bug fix updateUpdated selinux-policy packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The selinux-policy packages contain the rules that govern how confined processes run on the system.

Bug Fix

BZ#912392When multiple devices were added into the system, udev rules restarted ktune services foreach new device, so there were several restarts in a short time interval. The multiple restartstriggered a race condition in the kernel which was not easily fixable. Currently, the tuned code ismodified not to trigger more than one restart per 10 seconds and the race condition is avoided.

Users of selinux-policy are advised to upgrade to these updated packages, which fix this bug.

6.225.2. RHBA-2013:0314 — selinux-policy bug fix and enhancement updateUpdated selinux-policy packages that fix several bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The selinux-policy contain the rules that govern how confined processes run on the system.

Bug Fixes

BZ#837815With the Multi-Level Security (MLS) SELinux policy enabled, a user created with an SELinux MLSlevel could not login to the system through an SSH client. The SELinux policy rules have beenupdated to allow the user to log in to the system in the described scenario.


357





BZ#835923When SELinux was in enforcing mode, an OpenMPI job, parallel universe in Red Hat EnterpriseLinux MRG Grid, failed and was unable to access files in the /var/lib/condor/execute/directory. New SELinux policy rules have been added for OpenMPI jobs to allow a job to accessfiles in this directory.

BZ#857352When SELinux was in enforcing mode, a migration from one host to another using the Red HatEnterprise Virtualization Manager was denied. This update fixes relevant SELinux policy rulesand the migration now completes as expected in the described scenario.

BZ#865759Due to a regression, the root user was able to log in when the ssh_sysadm_login variablewas set to OFF in MLS. To fix this bug, the ssh_sysadm_login SELinux boolean has beencorrected to prevent the root user to log in when this variable is set to OFF.

BZ#877108When the user ran the system-config-kdump utility on the IBM System z architecture, thefollowing error message was returned:

error opening /etc/zipl.conf for read: Permission denied

This error was caused by missing SELinux policy rules. With this update, the respective ruleshave been updated to allow system-config-kdump to access the /etc/zipl.conf file,and the error messages are no longer returned.

BZ#877932Previously, cron daemon jobs were set to run in the cronjob_t domain when the SELinuxMLS policy was enabled. As a consequence, users could not run their cron jobs. The relevantpolicy rules have been modified and cron jobs now run in the user domain, thus fixing this bug.

BZ#880369When the user added a mount point to the /var/lib/openshift file and executed the quotacheck -cmug /var/lib/openshift command, the process resulted in AVCmessages logged in the /var/log/audit/audit.log file. With this update, the quotasystem can manage openshift_var_lib_t directories to make the command work asexpected.

BZ#867002When the system was set up to use the SSSD system daemon to perform user authentication,the passwd utility was not allowed to read the /var/lib/sss/mc/ directory. This update fixesthe security context for /var/lib/sss/mc/ to allow passwd to read this directory asexpected.

BZ#878212With SELinux in enforcing mode, during automatic testing of Red Hat Enterprise Linux in FIPSmode, PAM (Pluggable Authentication Modules) attempted to run prelink on the


358






/sbin/unix_chkpwd file to verify its hash. Consequently, users could not log in to the system.The appropriate SELinux policy rules have been updated and a FIPS mode boolean has beenadded to resolve this bug.

BZ#887129Previously, the system-config-kdump utility was unable to handle the kdump service whenSELinux was in enforcing mode for 64-bit PowerPC. To fix this bug, the security context for the /usr/lib/yaboot/addnote binary file has been changed to the bin_t type. With thisupdate, system-config-kdump handles kdump as expected.

BZ#869376Due to a missing SELinux policy rule, certain services failed to start in enforcing mode. Thisupdate adds the mount_t unlabeled_t:filesystem relabelfrom; rule to make sure theseservices start as expected.

BZ#8814 13Previously, if the user added the includedir /var/lib/sss/pubconf/krb5.include.d/ directive toa krb5.conf file in Identity Manager and installed a server in permissive mode, it generatednumerous AVC messages because a number of processes were not able to read the contentsof the included directory. This update adds rules to allow domains that can read thesssd_public_t type to also list this directory.

BZ#859231When the krb5 package was upgraded to version 1.9-33.el6_3.3 and Identity Management orFreeIPA was used, an attempt to start the named daemon terminated unexpectedly in enforcingmode. This update adapts the relevant SELinux policy to make sure the named daemon can bestarted in the described scenario.

BZ#858235Previously, the rhnsd daemon was handled by the rhsmcertd SELinux domain, which causedan AVC denial message to be returned. With this update, rhnsd has its own SELinux policydomain called rhnsd_t, thus preventing these messages.

BZ#831908When the SANLOCKOPTS="-w 0" option was enabled in the /etc/sysconfig/sanlockconfiguration file, AVC denial messages were generated by the service sanlock restartcommand. The SELinux rules have been updated to allow the sanlock daemon to be restartedcorrectly without any AVC messages.

BZ#855889Previously, the libselinux library did not support setting the context based on the contentsof /etc/selinux/targeted/logins/$username/ directories. Consequently, centralmanagement of SELinux limits did not work properly. With this update, the /etc/selinux/targeted/logins/ directory is now handled by the selinux-policy packagesas expected.

BZ#854 671


359







BZ#854 671With SELinux in enforcing mode, the running the openswan service with FIPS enabled causedAVC denial messages to be logged to the /var/log/audit/audit.log file. This updatefixes the relevant SELinux policy rules and openswan no longer produces AVC messages.

BZ#852763With the SELinux MLS policy enabled, users could not mount a file via a loop device. This bughas been fixed, and users can mount a file via a loop device to the /mnt/ directorysuccessfully.

BZ#835936When SELinux was running in enforcing mode, it was impossible to start a virtual machine on adisk located on a POSIX file system, such as GlusterFS. The relevant SELinux policy has beenfixed and virtual machines can now be started in the described scenario as expected.

BZ#84 3814In its current version, the SSSD daemon writes SELinux configuration files into the /etc/selinux/<policy>/logins/ directory. The SELinux PAM module then uses thisinformation to set the correct context for a remote user trying to log in. Due to a missing policyfor this feature, SSSD could not write into this directory. With this update, a new security contextfor /etc/selinux/<[policy]/logins/ has been added together with appropriate SELinuxpolicy rules.

BZ#836311Previously, the heartbeat subsystem was incorrectly treated by the corosync SELinuxpolicy. Consequently, AVC messages were generated and heartbeat was unusable bydefault. To fix this bug, heartbeat is now handled by the rgmanager SELinux policy andAVC messages are no longer returned.

BZ#837138With SELinux in enforcing mode, the clamscan utility did not work correctly as a backup serverin the amavisd-new interface, which resulted in AVC messages to be returned if clamscancould not access amavis spool files. This update corrects the SELinux policy to grant clamscan the necessary permission in the described scenario.

BZ#887892Previously, SELinux prevented the ABRT (Automatic Bug Reporting Tool) utility to use the inotify subsystem on the /var/spool/abrt-upload/ directory. Consequently, when theuser set up the WatchCrashdumpArchiveDir option in the ABRT utility, the abrtd daemonfailed on restart. To fix this bug, a SELinux policy rule has been added to allow ABRT to use inotify on /var/spool/abrt-upload/ with the daemon working correctly.

BZ#84 2818With SELinux in enforcing mode, the saslauthd daemon process could not work properly if theMECH=shadow option was specified in the /etc/sysconfig/saslauthd file. This updatefixes the relevant SELinux policy rules and allows saslauthd to use the MECH=shadowconfiguration option.


360






BZ#84 2905Previously, when a process with the user_r SELinux role tried to use the crontab utility on anNFS (Network File System) home directory, AVC messages were written to the audit.log file. Therelevant SELinux policy has been updated to allow user_r processes to run the crontabutility, thus fixing the bug.

BZ#84 2927, BZ#84 2968When the MAILDIR=$HOME/Maildir option was enabled either in the /etc/procmailrcor in dovecot configuration files, the procmail and dovecot services were not able toaccess a Maildir directory located in the home directory. This update fixes relevant SELinuxpolicy rules to allow the procmail/dovecot service to read the configured MAILDIR option in/etc/procmailrc.

BZ#886874When the vsftpd daemon is being stopped, it terminates all child vsftpd processes bysending the SIGTERM signal to them. When the parent process dies, the child process gets theSIGTERM signal. Previously, this signal was blocked by SELinux. This update fixes the relevantSELinux policy rules to allow vsftpd to terminate its child processes properly.

BZ#885518Previously, the /var/lib/pgsql/.ssh/ directory had an incorrect security context. With thisupdate, the security context has been changed to the ssh_home_t label, which is required bythe PostgreSQL system backup.

BZ#84 354 3Due to an incorrect SELinux policy, SELinux prevented the libvirtd daemon from starting the dnsmasq server with the --pid-file=/var/run/libvirt/network/default.pidoption and AVC denial messages were returned. The updated SELinux rules allow the libvirtd daemon to start correctly with dnsmasq support.

BZ#84 3577With the MLS SELinux policy enabled, an administrator in an SELinux domain, with the sysadm_t type at the s0-s15:c0.c1023 level, was not able to execute the tar --selinux -zcf wrk.tar.gz /wrk command. These updated SELinux rules allow administrators to runthe command in the described scenario.

BZ#84 3732Due to a missing fcontext for the /var/named/chroot/lib64/ directory, AVC messagescould be returned when working with the named daemon. To fix this bug, the missing SELinuxsecurity context for /var/named/chroot/lib64/ has been added.

BZ#83624 1Due to an incorrect SELinux policy, the dovecot-imap and dovecot-lda utilities were notallowed access to the Maildir files and directories with the mail_home_rw_t security context.These updated SELinux rules allow dovecot-imap and dovecot-lda to access Maildirhome directories.


361







BZ#84 4 04 5With SELinux in enforcing mode, the automount utility erroneously returned the mount.nfs4: access denied by a server error message when instructed to perform a mountoperation, which included a context= parameter. Mount operations in NFS v3 were notaffected. Now, SELinux policy rules have been updated to allow automount to work correctly inthe described scenario.

BZ#809716Due to an incorrect SELinux policy, the smartd daemon was not able to create the megaraid_sas_ioctl_node device with the correct SELinux security context. Consequently,monitoring of some disks on a MegaRAID controller using smartd was prevented. This updateprovides SELinux rules that allow monitoring of disks on a MegaRAID controller using smartd.

BZ#84 5201Previously, the incorrect default label on the /etc/openldap/cacerts/ and /etc/openldap/certs/ directories was provided by SELinux policy, which caused variousunnecessary AVCs to be returned. To fix this bug, these directories have been labeled with theslapd_cert_t SELinux security label. Now, no redundant AVCs are returned.

BZ#88234 8, BZ#850774Previously, with SELinux in enforcing mode and the internal-sftp subsystem configuredtogether with the Chroot option, users with the unconfined_t SELinux type were unable toconnect using the sftp utility. This update fixes the SELinux policy to allow users to utilize sftp successfully in the described scenario.

BZ#84 9262Previously, the snmpd daemon service was unable to connect to the corosync service usinga Unix stream socket, which resulted in AVC messages being logged in the /var/log/audit/audit.log file. To fix this bug, a set of new rules has been added to theSELinux policy to allow the snmpd daemon to connect to corosync.

BZ#84 9671With SELinux in enforcing mode, the /var/run/amavisd/clamd.pid file was empty, thusany attempt to restart the clamd.amavisd daemon failed. Stopping the service failed becauseof the empty PID file and starting it failed because the socket was already in use or still beingused. These updated SELinux rules allow clamd.amavisd to write to the PID file as expected.

BZ#851113Due to an incorrect SELinux policy, there was an incorrect label on the /var/run/cachefilesd.pid file. With this update, SELinux policy rules and the securitycontext have been fixed to get the cachefilesd_var_run_t label for the file.

BZ#881993Due to missing SELinux policy rules, the rsync daemon, which served an automounted homeNFS directory, was not able to write files in this directory. To fix this bug, the rsync daemon


362







has been changed into a home manager to allow the needed access permissions.

BZ#851289Previously, the 8953/tcp port used the port_t SELinux port type, which prevented the unbound service from working correctly. To fix this bug, the 8953/tcp port has beenassociated with the rndc_port_t SELinux port type.

BZ#8514 83The spice-vdagent package was rebased to the latest upstream version (BZ#842355). A partof this rebased spice-vdagent was moved to the syslog() function instead of using its ownlogging code (BZ#747894). To reflect this change, the SELinux policy rules have been updatedfor the spice-vdagent policy to allow the use of syslog().

BZ#852731Previously, when a user wanted to create a user home directory on a client which did not exist,they could do so on local volumes. However, this operation was blocked in enforcing modewhen the pam_oddjob_mkhomedir.so module attempted to create a home directory on anNFS mounted volume. SELinux policy rules have been updated to allow pam_oddjob_mkhomedir to use NFS and user home directories can now be created inenforcing mode as well.

BZ#8534 53When the .forward file was configured by the user on NFS, AVC messages were returned.Consequently, Postfix was not able to access the script in the aforementioned file. Theseupdated SELinux rules allow to properly set up .forward in the described scenario.

BZ#811319Previously, the fence_virtd daemon was unconfined by SELinux, which caused the serviceto run in the initrc_t type SELinux domain. To fix this bug, the fenced_exec_t security contexthas been added for the fence_virtd daemon, and this service now runs in the fenced_tSELinux domain.

BZ#871038Previously, with SELinux in enforcing mode, the setroubleshootd daemon was not able toread the /proc/irq file. Consequently, AVC messages were returned. This update providesSELinux rules, which allow setroubleshootd to read /proc/irq, and AVC messages areno longer returned.

BZ#8334 63With SELinux running in enforcing mode, the fence_vmware_soap binary did not workcorrectly. Consequently, fencing failed, services did not failover, and AVC denial messageswere written to the audit.log file. This update fixes the relevant policy to make the fence_vmware_soap binary work correctly.

BZ#832998Prior to this update, a proper security context for the


363








/usr/lib/mozilla/plugins/libflashplayer.so file was missing. Consequently,executing the mozilla-plugin-config -i command caused the following error to bereturned:

*** NSPlugin Viewer *** ERROR: /usr/lib/mozilla/plugins/libflashplayer.so: cannot restore segment prot after reloc: Permission denied

The security context has been updated, and the command now works as expected.

BZ#821887A missing SELinux policy prevented the Red Hat Enterprise Virtualization Hypervisors torecreate the /etc/mtab file with a correct security context. To fix this bug, a new SELinuxtransition from the virtd_t to mount_t SELinux domain has been added.

BZ#8584 06Due to missing SELinux policy rules, Point-In-T ime Recovery (PITR) implementation with thesupport for the SSH and RSync protocols failed to work with PostgreSQL. To resolve this bug,the postgresql_can_rsync SELinux boolean has been added to allow PostgreSQL to runthe rsync utility and interact with SSH.

BZ#858784With SELinux in enforcing mode, the pulse utility failed to start the Internet Protocol VideoSecurity (IPVS) sync daemon at startup. SELinux policy rules have been updated to allow pulse start the daemon as expected.

BZ#829274Previously, the SELinux Multi-Level Security (MLS) policy did not allow the sysadm_r SELinuxrole to use the chkconfig SERVICE on/off commands to enable or disable a service onthe system. This update fixes the relevant SELinux policy to allow the sysadm_r SELinux roleto use these commands to enable or disable the service.

BZ#860666Due to missing SELinux policy rules, the rebased krb5 package version 1.10 returned thefollowing AVC message:

type=AVC msg=audit(1348602155.821:530): avc: denied { write } for pid=23129 comm="kadmind" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3647 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file

With this update, the kadmind utility has been allowed to access anon_inode file descriptorsto fix the AVC message.

BZ#868959Previously, the cluster-cim package was allowed to be used in enforcing mode. However, AVCmessages connected with access to the /var/run/clumond.sock and /var/run/cman_clientUnix sockets were identified. To fix this bug, new SELinux policy rules have been provided toallow the cimprovag utility to connect to the cman_client socket.


364






BZ#861011, BZ#901565Previously, the /var/nmbd/ directory was labeled as var_t, which caused issues with Sambaservices which needed to access this directory. The security context has been updated andSamba can now access this directory as expected. Furthermore, SELinux can prevent the nmbdservice from writing into the /var/ repository, which causes problems with NetBIOS nameresolution and leads to SELinux AVC denial messages.

BZ#867001In the previous update, the rsyslog-gssapi package allowed the rsyslog utility to use theGeneric Security Services Application Program Interface (GSSAPI). However, AVC messageswere returned as a consequence. This update fixes relevant SELinux policy rules to allow the rsyslog utility to use Kerberos tickets on the client side.

BZ#865567With SELinux in enforcing mode, when the fail2ban service was restarted and fail2banwas not able to execute the ldconfig and iptables commands, it resulted in SELinux AVCdenial messages being returned. This update fixes the relevant SELinux policy rules to allow fail2ban to execute ldconfig and also fix security contexts for iptables binaries.

BZ#84 1950Due to an incorrect security context for the /opt/sartest file, data could not be written to thislocation by the sadc utility running from a root cron daemon job. The security context hasbeen updated and now sadc running from a root cron job can write data to this location.

BZ#860858Previously, when the clamdscan utility was called by a Sendmail filter, the clamd daemonwas not able to scan all files on the system. This update adds the clamscan_can_scan_system variable to allow all antivirus programs to scan all files on thesystem.

BZ#825221Due to missing SELinux policy rules, the restorecon utility disregarded custom rules forsymbolic links. These updated SELinux rules allow restorecon to properly handle customrules for symlinks.

BZ#8634 07Due to missing SELinux policy rules, the freshclam utility was not able to update databasesthrough the HTTP proxy daemon when run by the cron daemon. To fix this bug, the relevantSELinux policy rules have been updated. As a result, freshclam now updates databases asexpected in the described scenario.

BZ#864 54 6, BZ#886619Previously, SELinux prevented the puppet master from running passenger web application. Tofix this bug, security context for the Passenger Apache module has been updated to reflectlatest passenger paths to executables to make sure all applications using Passenger web


365










applications run with the correct SELinux domain.

BZ#860087When a user set up the Red Hat Enterprise Linux 6 system as a VPN server with the IPSec+L2TP VPN, SELinux prevented the pppd daemon from accessing some neededcomponents after connecting to the VPN server with the following error message:

pppd needs to be allowed also to "read" and "write" operations on l2tpd_t:socket

This update adds the missing SELinux policy to make sure all pppd actions are enabled bySELinux.

BZ#82364 7Previously, some patterns in the /etc/selinux/targeted/contexts/files/file_contexts file contained typo errors.Some patterns matched the 32-bit path, but the same pattern for the 64-bit path was missing.Consequently, different security contexts were assigned to these paths. With this update, therelevant file context specifications have been corrected so that there are no more differencesbetween these paths.

BZ#831068Previously, when a user tried to change a password in the GNOME user account dialog window,the attempt was blocked by SELinux in enforcing mode due to missing SELinux rules for thepasswd_t SELinux domain. With this update, SELinux policy rules have been added to allowusers to change their passwords in the GNOME user account dialog window.

BZ#871106, BZ#882850Previously, there were problems to hook certain monitoring plug-ins to the munin plug-indomain with SELinux in enforcing mode. To fix this bug, the unconfined_munin_plugin_tSELinux type has been added to the SELinux policy to cover all unconfined munin plug-ins. Asa result, munin plug-ins can now run unconfined.

BZ#871816With SELinux in enforcing mode, the ipactl restart command caused AVC denial messages tobe returned. This update fixes the relevant SELinux policy rules and the command no longerproduces AVC messages.

BZ#855286While installing an ISO image on a virtual machine (VM) from Red Hat Enterprise VirtualizationManager, AVC messages were generated. These AVC were returned due to the sanlockutility which could not access files and directories on the FUSE file system. To fix this bug, the sanlock_use_fusefs SELinux boolean variable has been added and installing from an ISOimage on a VM now succeeds.

BZ#853970Previously, a Red Hat Cluster Suite node did not auto-join a cluster ring after power fencing dueto missing SELinux policy rules for the corosync utility. Consequently, corosync failed to


366








to missing SELinux policy rules for the corosync utility. Consequently, corosync failed toreboot. To fix this bug, corosync has been allowed to use 1229/udp and 1228/udp ports tomake auto-join a cluster ring after power fencing. As a result, a machine re-joins the clusterafter fencing and reboots as expected.

BZ#853852Previously, the SELinux boolean variable for NFS failed to prevent an NFS client from accessinga share. Consequently, the NFS client could mount an NFS share and read or write files.Because the NFS server runs as a kernel process, the nfs_export_all_rw boolean variablewas needed no longer and has been removed from the policy, thus fixing the bug. NFS clientsnow cannot access shares in the described scenario.

BZ#879266When the user was installing Red Hat Cluster Suite packages from Red Hat Network, theinstallation process became unresponsive and the cluster suite was not installed. With thisupdate, the relevant policy has been added and Red Hat Cluster Suite packages from RHN cannow be installed as expected.

BZ#8804 07Previously, if the user ran the restorecon utility on /ect/multipath* directories and files,the security context was reset. This update fixes relevant SELinux policy rules and addsupdated SELinux security context for these directories and files.

BZ#84 6069Previously, the piranha-web utility was unable to connect to the windbind daemon usingUnix stream sockets. Consequently, AVC messages were returned. To fix this bug, a set of newrules has been added to the SELinux policy to allow the piranha-web service to connect to windbind.

BZ#88314 3Due to the incorrect git_read_generic_system_content_files() interface, the git-daemon and httpd daemons could not serve the same directory. To fix this bug, the git_read_generic_system_content_files() interface has been updated to allow git-daemon and httpd to serve the same directory.

BZ#809877Previously, due to incorrect file context specifications, the policy did not always have a correctlabel for files in the /var/log/ directory which were processed by the logrotate utility. Tofix this bug, the file context specifications have been updated and the files and directoriesprocessed by logrotate now have correct labels.

BZ#84 4 4 4 8Previously, the munin-node agent lacked necessary SELinux rules for reading Exim log files.Consequently, multiple bundled exim plug-ins were prevented from working and munin-nodeterminated unexpectedly. This update fixes the relevant SELinux policy rules to allow munin-node to read exim log files to make exim Munin plug-ins working correctly.


367






BZ#84 34 55Previously, when the user tried to use the munin_stats Munin plug-in, it caused AVCmessages to be returned. To fix this bug, updated SELinux policy rules have been provided andmunin_stats now works as expected.

BZ#886563If a user tried to use a post-login script in the dovecot utility, an AVC message was returned.This update fixes relevant SELinux policy rules and adds updated SELinux rules to allow dovecot to start the /bin/bash file. Now, AVC messages are no longer returned.

BZ#84 1329Due to an incorrect SELinux policy, confined SELinux users could not decrypt S/MIME(Secure/Multipurpose Internet Mail Extensions) emails by preventing the gpg-agent daemonfrom reading the /dev/random file. The claws-mail client using the smime utility wasaffected by this bug. Now, SELinux policy rules have been updated to allow SELinux confinedusers to decrypt S/MIME emails.

BZ#770065Previously, when a user tried to use the check_icmp Munin plug-in, AVC messages werereturned. With this update, a corrected SELinux policy has been provided for check_icmp,thus fixing the bug.

BZ#890687When a user attempted to configure the rsync daemon to log directly to a specific file, missingSELinux policy rules let the user create the log file, but did not allow to append to it. With thisupdate, SELinux policy rules have been added to allow rsync to append to a specific log file.

BZ#8214 83With SELinux in enforcing mode, running a spamd daemon process updating Razorconfiguration files resulted in a permission to be denied and an AVC message to be generated.This update fixes relevant SELinux policy rules to allow spamd processes to update Razorconfiguration files in the described scenario.

BZ#869304With SELinux in enforcing mode, on a Red Hat Enterprise Linux 6.3 hypervisor, SELinuxprevented the QEMU-KVM getattr() function access when starting VMs from Red HatEnterprise Virtualization Manager hosted on a Red Hat Storage (RHS) storage domain. Thisupdate fixes relevant SELinux policy rules to allow the QEMU-KVM getattr() access.

BZ#867628Prior to this update, the manual pages did not reflect actual state of SELinux policy rules. To fixthis bug, the actual policy has been included in the selinux-policy package. Furthermore, allauto-generated manual pages are now regenerated on the system using the sepolicy utilityfrom Fedora to provide better SELinux manual pages for each SELinux domain.

BZ#887793


368









The wdmd watchdog daemon used the /etc/wdmd.d/checkquorum.wdmd script, bothprovided by the sanlock package, for checking out the cluster state. Consequently, with SELinuxenabled, this detection failed resulting in a self-resetting loop. To fix this bug, the SELinuxsupport for the watchdog script from the sanlock utility has been added, and the detectionno longer fails.

Enhancements

BZ#739103On Red Hat Enterprise Linux 6, root privileges are required to start a KVM guest with bridgednetworking. The libvirt library in turn launches a QEMU process as the unprivileged qemuuser. New qemu:///session URIs introduced to libvirt attempted to allow the unprivilegeduser to start KVM guests and have the QEMU process execute as the same unprivileged userbut failed since the CAP_NET_ADMIN capability is required to use TUN/TAP networking. To fixthis bug from the SELinux perspective, a new SELinux policy has been added for a networkinghelper program that QEMU can invoke.

BZ#8014 93This update provides a new SELinux policy for the pacemaker service.

BZ#807157This update provides a new SELinux policy for the numad service.

BZ#807678This update provides a new SELinux policy for the bcfg2-server service.

BZ#836034This update provides a new SELinux policy for the OpenStack Essex cloud computingframework.

BZ#834 994This update provides a new SELinux policy for the rhnsd service.

BZ#839250, BZ#838260A new SELinux antivirus policy module has been introduced in this release. This modulecontains the antivirus_db_t file type and the antivirus attribute to consolidate all anti-virusprograms on the system. The module also allows to manage files and directories labeled withthe antivirus_db_t file type.

BZ#833557This update provides a new SELinux policy for the xl2tpd service.

BZ#827389This update adds SELinux support for the Gitolite v.3 utility, which allows users to set uphosting of Git repositories on a central server.


369









BZ#811361This update provides a new SELinux policy for the svnserve service.

BZ#811304This update provides a new SELinux policy for the glusterd daemon.

BZ#84 8915This update provides a new SELinux policy for the slpd daemon.

BZ#84 54 17This update provides a new SELinux policy for the ovs-vswitchd and ovs-brcompatd OpenvSwitch services.

BZ#84 5033This update provides a new SELinux policy for the iucvtty application provides full-screenterminal access to a Linux instance running as a z/VM Inter-User Communication Vehicle(IUCV).

BZ#839831The QEMU emulator now provides a new qemu-ga (guest agent) daemon. This daemon runson the guest and executes commands on behalf of processes running on the host. This updateprovides a new SELinux policy for a new qemu-ga (guest agent) daemon.

BZ#84 8918This update provides a new SELinux policy for the sencord service.

BZ#851128, BZ#888164SELinux support has been added for the rpc.rstatd and rpc.rusersd daemons to preventthem from running in the initrc_t SELinux domain. Now, these services run in the rpcd_tSELinux domain.

BZ#85124 1This update provides a new SELinux policy for the cpglockd service.

BZ#8854 32Support for the /usr/share/ovirt-guest-agent/ovirt-guest-agent.py file has beenadded to these updated packages.

BZ#875839Support for OpenShift Enterprise Policy has been added to Red Hat Enterprise Linux 6.4.

Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.


370













6.226. setroubleshoot

6.226.1. RHBA-2013:0387 — setroubleshoot bug fix updateUpdated setroubleshoot packages that fix several bugs are now available for Red Hat Enterprise Linux6.

This package provides a set of analysis plugins for use with setroubleshoot. Each plugin has thecapacity to analyze SELinux AVC (Access Vector Cache) data and system data to provide user friendlyreports describing how to interpret SELinux AVC denial messages.

Bug Fixes

BZ#788196Prior to this update, the "sealert -a /var/log/audit/audit.log -H" command did not work correctly.When opening the audit.log file, the sealert utility returned an error when the "-H" option wasused. The relevant source code has been modified and the "-H" sealert option is no longerrecognized as a valid option.

BZ#83214 3Previously, SELinux Alert Browser did not display alerts even if SELinux denial messages werepresent. This was caused by the sedispatch utility, which did not handle audit messagescorrectly, and users were not able to fix their SELinux issues according to the SELinux alerts.Now, SELinux Alert Browser properly alerts the user in the described scenario.

BZ#84 24 4 5Under certain circumstances, sealert produced the " 'tuple' object has no attribute 'split' " errormessage. A patch has been provided to fix this bug. As a result, sealert no longer returns thiserror message.

BZ#851824The sealert utility returned parse error messages if an alert description contained parentheses.With this update, sealert has been fixed and now, the error messages are no longer returned inthe described scenario.

BZ#864 4 29Previously, improper documentation content was present in files located in the/usr/share/doc/setroubleshoot/ directory. This update removes certain unneeded files and fixescontent of others.

Users of setroubleshoot are advised to upgrade to these updated packages, which fix these bugs.

6.227. setup

6.227.1. RHBA-2012:1367 — setup bug fix updateUpdated setup packages that fix three bugs are now available for Red Hat Enterprise Linux 6.


371






The setup packages provide a set of important system configuration and setup files, such as passwd,group, and profile.

Bug FixesBZ#79114 0

Prior to this update, the "/etc/profile" script used a non-portable method for undefining thepathmunge() function. As a consequence, the script could encounter problems when using thekorn shell (ksh). This update modifies the undefining method of the function to work moreefficiently with alternative shells.

BZ#8394 10, BZ#860221Prior to this update, the accounts for the haproxy system user, the jbosson-agentsystem user,and the jbosson system group were created with dynamic uid/gid assignment, which is notrecommended for network daemons and for sensitive data. With this update, the static uid/gidpair 188:188 can be used to create these users and groups.

All users of setup are advised to upgrade to these updated packages, which fix these bugs.

6.228. slapi-nis

6.228.1. RHBA-2013:0370 — slapi-nis bug fix updateAn updated slapi-nis package that fixes two bugs is now available for Red Hat Enterprise Linux 6.

The slapi-nis package contains the NIS server plug-in and the Schema Compatibility plug-in for use withthe 389 directory server.

Bug Fixes

BZ#84 0926While updating their internal data caches after the server had processed an LDAP modifyrequest, the modules leaked a small amount of memory after every modify request. This bughas been fixed and no memory is now leaked in the described scenario.

BZ#829502At build-time, the slapi-nis package attempted to detect if it was being built for a version of thedirectory server which included support for backend transactions. If this support was detected,the plug-in enabled its own optional logic for supporting transactions in order to allow it tointeract properly with the server and other plug-ins. Some time after this support was added toslapi-nis, the recommended strategy for integrating with a transaction-enabled server wasrevised, rendering changes in slapi-nis incorrect. This update explicitly disables that support inthese plug-in, thus preventing this support from interfering with normal directory serveroperations.

Users of slapi-nis are advised to upgrade to this updated package, which fixes these bugs.

6.229. slf4j


372






6.229.1. RHBA-2012:1239 — slf4j bug fix updateUpdated slf4j packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The Simple Logging Facade (SLF4J) for Java serves as a simple facade for various logging APIsallowing the end-user to plug in the desired implementation at deployment time.

Bug FixBZ#831933, BZ#82864 4

The slf4j packages contained a non-functional dummy API implementation which was notsupposed to be used. This dummy implementation was always selected instead of otherimplementations and UnsupportedOperationException was thrown. The dummy APIimplementation has been removed, so that user-supplied implementation is now always chosen,and slf4j works as expected.

All users of slf4j are advised to upgrade to these updated packages, which fix this bug.

6.230. smartmontools

6.230.1. RHBA-2013:0365 — smartmontools bug fix and enhancement updateUpdated smartmontools packages that fix multiple bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The smartmontools packages provide the smartctl tool and the smartd daemon to control and monitorstorage systems using the Self-Monitoring, Analysis and Reporting Technology System (SMART) builtinto most modern ATA and SCSI hard disks.


The smartmontools packages have been upgraded to upstream version 5.43, which provides anumber of bug fixes and enhancements over the previous version. (BZ#826144)

All users of smartmontools are advised to upgrade to these updated packages, which fix these bugsand add these enhancements.

6.231. sos

6.231.1. RHBA-2013:0474 — sos bug fix and enhancement updateUpdated sos packages that fix a number of bugs and add two enhancements are now available for RedHat Enterprise Linux 6.

The sos packages contain a set of tools that gather information from system hardware, logs andconfiguration files. The information can then be used for diagnostic purposes and debugging.

Bug Fixes

BZ#85914 2The previous versions of the sos packages used a built-in module to collect data from Red Hat


373






Network Satellite Server and Red Hat Network Proxy Server. As a consequence, data capturedby the sos utility was incomplete or in a different format than expected by RHN Satellitedevelopers. The module has now been extended to use the RHN Satellite script (spacewalk-debug) to collect information when present, and the RHN Satellite components now supply adebug script that is able to collect more detailed diagnostic data.

BZ#821323Previous versions of sos did not include any support for capturing RHUI (Red Hat UpdateInfrastructure) configuration and diagnostic data. Consequently, no diagnostic information forthe RHUI components was available in generated reports. A new module has been added tocapture this information. As a result, full logs and configuration data are now included when runon hosts with RHUI components installed.

BZ#84 954 6The previous version of gluster module made use of gluster CLI commands to obtain statedump information. This caused cluster-wide locks to be taken, potentially blocking other nodesfor the duration of data collection. The module has been set to directly issue a signal to thelocal gluster processes and collect the generated files. Now, full state dump data is collectedwithout causing side effects to other hosts in the environment.

BZ#85054 2Previous versions of the sos psacct (BSD Process Accounting) module collected all processaccounting files present on the system, which could, under certain configurations, lead to a verylarge number of archived files in the process accounting directory. This has been fixed bychanging psacct collecting only the most recent accounting file by default. The all option hasbeen added to the module which allows the user to request the original behavior if required. Asa result, reports generated on hosts with many archived accounting files no longer include thislarge set of additional data.

BZ#817093Previous versions of the device-mapper-multipath packages stored path binding data directly inthe /etc/ or /var/lib/ directories. Consequently, the previous versions of sos did notcapture files stored in this location. The devicemapper module has been extended to includethe /etc/multipath/ directory contents as well, to allow more consistent SELinux labeling ofmultipath files. The complete bindings file is now captured on hosts using the new directorylayout.

BZ#834 594Prior to this update, the sosreport networking module collected various data from the sysctlconfiguration found in the /proc/sys/net/ directory. Certain legacy paths in this directoryhave been deprecated upstream and scheduled for removal in future releases but aremaintained for compatibility reasons. Nevertheless, running sosreport on systems havingdeprecated sysctls configuration generated warning messages as the sos utility accessedthese paths. This bug has been fixed by including sos to a blacklist for forbidden paths of thisdirectory. Now, diagnostic information is no longer lost as the content of these files is nowprovided under different parameter names that are already included in the report. Thus, fulldiagnostic information is now collected from the /proc/sys/net/ directory without generatingunnecessary warning messages in system logs.


374



BZ#833170Previously, the sosreport utility did not recognize interfaces named by BIOS, using the biosdevname utility. Consequently, Ethernet network devices were constrained to theconventional ethN naming scheme and the ifconfig command, in some cases, did notidentify correctly interface types. To address this issue, the sos networking module was set touse the ip command from the iproute package to generate lists of network interfaces. As aresult, information for these network interfaces is now correctly captured and is available ingenerated reports.

BZ#8504 33Prior to this update, the Python runtime's pipe communication interface added an additionaltrailing newline (“\n”) character to output read by an external program. Consequently, filesstored in the reports that were generated by running an external command included additionaltrailing whitespace that could interfere with attempts to compare file contents. The sosreportcommand has been modified to remove this additional character when present, thus fixing thisbug. File capture is now consistent between sos versions in Red Hat Enterprise Linux 5 and 6,thus simplifying comparison of diagnostic data captured on these two releases.

BZ#822174Previous versions of sos did not sanitize special characters in system hostnames when usingthe name in file system paths. Consequently, inserting special characters in the systemhostname could cause sos to generate invalid file system paths and fail to generate a report.With this update, invalid characters are filtered out of system hostnames and the sosreportcommand now works correctly on systems having characters disallowed in file system pathspresent in the hostname, thus fixing this bug.

BZ#822113Previous versions of the sos utility failed to validate the --name parameter correctly.Consequently, the report was generated with a file name containing an empty name field. To fixthis bug, a default name has been substituted when the provided report name is empty orinvalid and files are now generated with names following a consistent pattern.

BZ#824 378Due to changes in the logging design in earlier releases, the sos utility did not log errors whenattempting to collect output from external commands. Consequently, no message was written tothe sos log file when an external command could not be executed. This update ensures thatthe logging is carried out in the core plug-in code and a failure to execute an external programis now correctly logged.

BZ#821005Previous versions of the sos utility passed an unescaped double tilde (~~) character sequenceto a command executed by the system shell. On some systems, the expansion of this sequenceresulted in an error message when the shell home directory expansion attempted a lookup foran account named ~. The sequence is now correctly double-quoted to disable shell expansionof the string and no spurious account lookup or log message is triggered in the describedscenario.


375






BZ#850779The sanlock package is a new component that provides disk based leases and uses the watchdog device to protect their recovery. Previous versions of sos did not include support forcollecting sanlock diagnostic data. A new module has been added to collect configuration andlog files for this component so that diagnostic information relating to the sanlock servicewould be captured in generated reports.

BZ#85204 9PostgreSQL is a popular open-source database in Red Hat Enterprise Linux. Prior versions ofsos did not include support for collecting information about installed postgres instances, andthus no diagnostic information was collected for this component. The psql module that obtainsinformation from the database has been included in this release. Now, when psql is enabled,diagnostic data is captured on appropriately configured systems, and optional parameters suchas database name and authentication may be specified in order to collect more detailedinformation.

BZ#809727The pagetypeinfo file contains additional information relevant to external fragmentation ofkernel memory. Previous versions of sos only collected the related buddyinfo data.Consequently, less detailed information was available regarding the fragmentation state of thekernel page allocator. The pagetypeinfo file has been included in the generated report anddetailed fragmentation debugging data is now collected by default, thus avoiding manual effortto obtain this information.

Enhancements

BZ#84 0975Previous releases of sos captured only the /proc/ioports file detailing registered I/O portregions in use. The /proc/iomem file additionally describes regions of physical systemmemory and their use of memory, firmware data, and device I/O traffic. As this data may beimportant in debugging certain hardware and device-driver problems, both ioports and iomem data have been made available within generated reports.

BZ#825968, BZ#826312The RHSM (Red Hat Subscription Manager) provides a new method for managing Red Hatsubscriptions and entitlements on installed hosts. This update adds support for capturing the subscription-manager utility output for diagnostic purposes. The output of subscription-manager is now included in generated reports.

Users of sos are advised to upgrade to these updated packages, which fix these bugs and add theseenhancements.

6.232. spice-gtk

6.232.1. RHBA-2013:0343 — spice-gtk bug fix and enhancement updateUpdated spice-gtk packages that fix several bugs and add various enhancements are now available for


376





Red Hat Enterprise Linux 6.

The spice-gtk packages provide a GTK2 widget for SPICE clients. Both the virt-manager and virt-viewer utilities can make use of this widget to access virtual machines using the SPICE protocol.


The spice-gtk packages have been upgraded to upstream version 0.14, which provides a numberof bug fixes and enhancements over the previous version. The following list includes notableenhancements:

Windows USB redirection supportSeamless migrationBetter multi-monitor or resolution setting supportImproved handling of key-press and key-release events in high latency situations

BZ#842354

Bug Fixes

BZ#834 283When part of a key combination matched the grab sequence, the last key of the combinationwas sometimes not sent to the guest. As a consequence, the Left Ctrl+Alt+Del key combinationwas not passed to guests. This update ensures that all the keys are sent to the SPICE servereven if they are part of a combination. Now, when a key combination matches the grabsequence, the procedure works as expected.

BZ#813865Previously, when a Uniform Resource Identifier (URI) contained an IPv6 address, errorsoccurred when parsing URIs in remote-viewer. As a consequence, remote-viewer could notbe started from the command line with an IPv6 URI. Parsing of URIs containing IPv6 addressesis now fixed and it is possible to connect to an IPv6 address when starting remote-viewer fromthe command line.

BZ#81234 7High network jitter caused some key strokes to enter multiple characters instead of one.Improvements on the SPICE protocol have been made to avoid unwanted character repetition.

BZ#81884 8When the QEMU application was started with the --spice-disable-effects option and aninvalid value, spice-gtk did not print any error message, which could confuse users. This bugis now fixed and QEMU exits when an invalid value is encountered.

BZ#881072Previously, an attempt to close connection to a display failed until one of the remaining windowsgot resized. Consequently, a previously closed window could be opened again without user'sintention. Reopening of the closed display is now fixed and closing the remote-viewerwindows works as expected.


377







BZ#835997Previously, SPICE motion messages were not properly synchronized between client and serverafter migration. As a consequence, mouse cursor state could get out of sync after migration.This update ensures SPICE motion messages are synchronized between client and server andmouse cursor state no longer gets out of sync.

BZ#84 6666Previously, the following error code was returned in various scenarios:

main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)

This code made debugging of connections failures cumbersome. With this update, thecorresponding error message is printed for each of the different scenarios.

BZ#81884 7When using the --spice-color-value option with an invalid value, an error message isdisplayed. However, previously, the message was not clear enough. After the update, whenusing the --spice-color-value option with an invalid value, SPICE returns an errormessage including a suggestion of the value.

BZ#84 3134After connecting to an agent-less guest with 16-bit color depth, the initial screen was black andgot drawn on change only. This bug is now fixed and the guest screen is rendered fully uponconnection to an agent-less guest with 16-bit color depth.

BZ#867885Disabling client-side mouse acceleration temporarily when the pointer was in server mode andgrabbed caused the mouse pointer to "jump" over the guest desktop at any faster movement.This bug is now fixed and the mouse pointer moves in a guest as supposed in a physical client.

BZ#851090Previously, the Ctrl+Shift composite key did not work, resulting in the same actions beingtriggered by different composite keys. This bug is now fixed and Ctrl+Shift works as expected.

BZ#858228Previously, when no host subject was specified, the remote-viewer tool failed to connect withthe following error message:

Spice-Warning **: ssl_verify.c:484:openssl_verify: ssl: subject '' verification failed

With this update, when no host subject is specified, remote-viewer treats it like an empty hostsubject and verifies a common name CN= from the subject field with hostname.

BZ#858232Under certain circumstances, an unclear warning message was returned, incorrectly suggestingthat a needless network connection was attempted. The error message has been improved tocorrectly reflect the state.


378









BZ#859392Previously, for security reasons, users were prompted to enter the root password when tryingto redirect a USB device from a Red Hat Enterprise Linux 6.4 client to a SPICE guest. However,regular users do not have the root password. As this behavior is controlled by PolicyKit,changes in the /usr/share/polkit-1/actions/org.spice-space.lowlevelusbaccess.policy file have been made to allow access to the raw USBdevice without prompting for a password. A warning about the security implications of this havebeen included in the documentation.

BZ#807771Previously, implementation of the CONTROLLER_SEND_CAD event was missing in the spice-gtk controller. As a consequence, checking the box the "Pass Ctrl+Alt+Del to virtual machinebox" in the user interface did not produce any result. Implementation forCONTROLLER_SEND_CAD has been added to the underlying source code and users can nowtick the checkbox for Ctrl+Alt+Del to be intercepted on the virtual guest.

BZ#861332After a non-seamless migration of virtual machines with redirected USB devices, SPICE did notevaluate the USB state correctly. With this update, the related functions called from the channel_reset() function can rely on the state accurately, reflecting the USB state.

BZ#804 187When there was no device to redirect, the redirection dialogue window did not provide clearenough information. With this update, a help message indicating that there is no device toredirect is included in the dialogue window as well as additional related guidance.

BZ#868237In some situations, SPICE attempted to send the 00 scan codes to virtual machines, whichresulted in the unknown key pressed error messages being printed by the client. After thisupdate, SPICE no longer sends the 00 scan codes to the spice-server.

Enhancements

BZ#84 6911The previous SPICE migration pathway was almost equivalent to automatically connecting theclient to the migration target and starting the session from scratch. This pathway resulted inunrecoverable data loss, mainly USB, smartcard or copy-paste data that was on its way fromthe client to the guest and vice versa, when the non-live phase of the migration started. Thisupdate prevents data loss and the migration process completes successfully in this scenario.

BZ#84 24 11RandR multi-monitor support for Linux guests and arbitrary resolution support for Linux andWindows guests have been added to the spice-gtk package. It is now possible to dynamicallyadd new screens while using a virtual machine. Also, after resizing the window of the SPICEclient, the resolution of the guest is automatically adjusted to match the size of the window.


379







BZ#820964Auto-discovery of already plugged-in USB devices on Red Hat Enterprise Linux clients by theUSB Redirector has been added to the spice-gtk package.

BZ#834 504This update adds more informative error messages to the spice-gtk package; the messagesdeal with host subject mismatch when invalid SSL certificates or SSL options are passed toQEMU to the spice-gtk package.

Users of spice-gtk are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.233. spice-protocol

6.233.1. RHBA-2013:0510 — spice-protocol bug fix and enhancement updateUpdated spice-protocol packages that fix multiple bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The spice-protocol packages provide header files to describe the SPICE protocol and the QXL para-virtualized graphics card. The SPICE protocol is needed to build newer versions of the spice-client andthe spice-server packages.


The spice-protocol package has been upgraded to upstream version 0.12.2, which provides anumber of enhancements over the previous version, including support for USB redirection.(BZ#842352)

Enhancement

BZ#84 6910This update adds support for seamless migration to the spice-protocol packages.

All users who build spice packages are advised to upgrade to these updated packages, which fix thesebugs and add these enhancements.

6.234. spice-server

6.234.1. RHBA-2013:0529 — spice-server bug fix and enhancement updateUpdated spice-server packages that fix several bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol forvirtual environments. SPICE users can access a virtualized desktop or server from the local system orany system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing


380






virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red HatEnterprise Virtualization Hypervisors.


The spice-server package has been upgraded to upstream version 0.12.0, which provides anumber of bug fixes and enhancements over the previous version. (BZ#842353)

Bug Fixes

BZ#787694Previously, when the "-spice" command line option of the qemu-kvm command contained invalidparameters, the SPICE server terminated unexpectedly. This behavior has been modified, andSPICE server now returns a proper error value when incorrect parameters are passed.

BZ#824 384Previously, resolution changes run in a loop on a guest virtual machine led the qemu-kvmprocess to fail with the SIGABRT signal. This was caused by calling the ring _remove() functiontwice by the red_worker script. This bug has been fixed, and qemu-kvm no longer crashes inthe described case.

BZ#864 982Previously, non-RGB images with masks were omitted when rendering the guest user interfacewith the spice-server package. Consequently, certain icons were rendered incorrectly. This bughas been fixed, and the rendering errors no longer occur.

BZ#876685Using the LZ compression for server self-created images resulted in incorrect stride values,which caused SPICE server to abort. With this update, the LZ compression is no longer usedfor these images to prevent SPICE server termination.

BZ#881980Previously, messages from a client to the spice-vdagent agent were received by SPICE server,even after the agent had already disconnected from the server. These messages weremishandled and in certain circumstances could cause SPICE server to terminate unexpectedly.Now, these messages are dropped by the server, thus preventing this bug.

BZ#891326When trying to change the settings of the "3D Flying Objects" screen saver, SPICE server wasforced to access already freed pointers. Consequently, SPICE server terminated unexpectedlywith a segmentation fault. With this update, the sequence of operations has been reordered toprevent the segmentation fault.

Enhancements

BZ#836123With this update, a seamless migration of the SPICE server has been enabled to ensure the full


381









data transfer. This change required modifications in the QUEMU emulator and the libvirt library.The "seamless-migration=on" argument has been added to SPICE's QUEMU arguments. Incase this argument is not set, SPICE returns to the old migration pathway.

BZ#84 2310This update adds support for multiple monitors and arbitrary screen resolutions.

All users of spice-server are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.235. spice-vdagent

6.235.1. RHEA-2013:0311 — spice-vdagent enhancement updateUpdated spice-vdagent packages that add various enhancements are now available for Red HatEnterprise Linux 6.

The spice-vdagent packages provide a SPICE agent for Linux guests.


The spice-vdagent packages have been upgraded to upstream version 0.12.0, which provides anumber of enhancements over the previous version. (BZ#842355)

Enhancements

BZ#74 7894The spice-vdagent agent now uses the syslog standard for logging. Syslog provides previouslymissing information on time stamps and severity marks of the logged events.

BZ#84 2298With this update, support for dynamic multiple monitors and arbitrary window resolution hasbeen added to the spice-vdagent agent.

All users of spice-vdagent are advised to upgrade to these updated packages, which add theseenhancements.

6.236. spice-xpi

6.236.1. RHBA-2013:0459 — spice-xpi bug fix updateUpdated spice-xpi packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The spice-xpi packages provide the Simple Protocol for Independent Computing Environments (SPICE)extension for Mozilla that allows the SPICE client to be used from a web browser.

Bug Fixes


382







BZ#805602Previously, spice-xpi did not check port validity. Consequently, if an invalid port number wasprovided, spice-xpi sent it to the client. With this update, spice-xpi checks validity of providedport numbers, warns about invalid ports, and does not run the client if both ports are invalid.

BZ#810583Previously, the disconnect() function failed to terminate a SPICE client when invoked. Theunderlying source code has been modified and disconnect() now works as expected in thedescribed scenario.

All users of spice-xpi are advised to upgrade to these updated packages, which fix these bugs.

6.237. squid

6.237.1. RHSA-2013:0505 — Moderate: squid security and bug fix updateUpdated squid packages that fix one security issue and several bugs are now available for Red HatEnterprise Linux 6.


Squid is a high-performance proxy caching server for web clients that supports FTP, Gopher, and HTTPdata objects.

Security Fixes

CVE-2012-564 3A denial of service flaw was found in the way the Squid Cache Manager processed certainrequests. A remote attacker who is able to access the Cache Manager CGI could use this flawto cause Squid to consume an excessive amount of memory.

Bug Fixes

BZ#805879Due to a bug in the ConnStateData::noteMoreBodySpaceAvailable() function, childprocesses of Squid terminated upon encountering a failed assertion. An upstream patch hasbeen provided and Squid child processes no longer terminate.

BZ#84 4 723Due to an upstream patch, which renamed the HTTP header controlling persistent connectionsfrom Proxy-Connection to Connection, the NTLM pass-through authentication does notwork, thus preventing login. This update adds the new http10 option to the squid.conf file,which can be used to enable the change in the patch. This option is set to off by default.When set to on, the NTLM pass-through authentication works properly, thus allowing loginattempts to succeed.


383






BZ#8324 84When the IPv6 protocol was disabled and Squid tried to handle an HTTP GET requestcontaining an IPv6 address, the Squid child process terminated due to signal 6. This bug hasbeen fixed and such requests are now handled as expected.

BZ#84 7056The old "stale if hit" logic did not account for cases where the stored stale response becamefresh due to a successful re-validation with the origin server. Consequently, incorrect warningmessages were returned. Now, Squid no longer marks elements as stale in the describedscenario.

BZ#797571When squid packages were installed before samba-winbind, the wbpriv group did not includeSquid. Consequently, NTLM authentication calls failed. Now, Squid correctly adds itself into thewbpriv group if samba-winbind is installed before Squid, thus fixing this bug.

BZ#833086In FIPS mode, Squid was using private MD5 hash functions for user authentication and networkaccess. As MD5 is incompatible with FIPS mode, Squid could fail to start. This update limits theuse of the private MD5 functions to local disk file hash identifiers, thus allowing Squid to work inFIPS mode.

BZ#782732Under the high system load, the squid process could terminate unexpectedly with asegmentation fault during reboot. This update provides better memory handling during reboot,thus fixing this bug.

BZ#798090Squid incorrectly set the timeout limit for client HTTP connections with the value for server-sideconnections, which is much higher, thus creating unnecessary delays. With this update, Squiduses a proper value for the client timeout limit.

BZ#861062When the GET method requested a fully-qualified domain name that did not contain the AAAArecord, Squid delayed due to long DNS requesting time. This update introduces the dns_v4_first option to squid.conf. If the dns_timeout value of this option is properlyset, Squid sends the A and AAAA queries in parallel and the delays no longer occur.

BZ#758861Squid did not properly release allocated memory when generating error page contents, whichcaused memory leaks. Consequently, the Squid proxy server consumed a lot of memory within ashort time period. This update fixes this memory leak.

BZ#797884Squid did not pass the ident value to a URL rewriter that was configured using the url_rewrite_program directive. Consequently, the URL rewriter received the dashcharacter (-) as the user value instead of the correct user name. Now, the URL rewriter


384






character (-) as the user value instead of the correct user name. Now, the URL rewriterreceives the correct user name in the described scenario.

BZ#720504Squid, used as a transparent proxy, can only handle the HTTP protocol. Previously, it waspossible to define a URL in which the access protocol contained the asterisk character (* ) oran unknown protocol namespace URI. Consequently, an Invalid URL error message waslogged to access.log during reload. This update ensures that http:// is always used intransparent proxy URLs, and the error message is no longer logged in this scenario.

Users of squid are advised to upgrade to these updated packages, which resolve this issue and fixthese bugs.

6.238. sssd

6.238.1. RHSA-2013:0508 — Low: sssd security, bug fix and enhancementupdateUpdated sssd packages that fix two security issues, multiple bugs, and add various enhancements arenow available for Red Hat Enterprise Linux 6.


The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remotedirectories and authentication mechanisms. It provides an NSS and PAM interface toward the systemand a pluggable back-end system to connect to multiple different account sources. It is also the basis toprovide client auditing and policy services for projects such as FreeIPA.


The sssd packages have been upgraded to upstream version 1.9.2, which provides a number ofbug fixes and enhancements over the previous version. BZ#827606

Security Fixes

CVE-2013-0219A race condition was found in the way SSSD copied and removed user home directories. A localattacker who is able to write into the home directory of a different user who is being removedcould use this flaw to perform symbolic link attacks, possibly allowing them to modify and deletearbitrary files with the privileges of the root user.

CVE-2013-0220Multiple out-of-bounds memory read flaws were found in the way the autofs and SSH serviceresponders parsed certain SSSD packets. An attacker could spend a specially-crafted packetthat, when processed by the autofs or SSH service responders, would cause SSSD to crash.This issue only caused a temporary denial of service, as SSSD was automatically restarted bythe monitor process after the crash.


385




The CVE-2013-0219 and CVE-2013-0220 issues were discovered by Florian Weimer of the Red HatProduct Security Team.

Bug Fixes

BZ#854 619When SSSD was built without sudo support, the ldap_sudo_search_base value was not setand the namingContexts LDAP attribute contained a zero-length string. Consequently, SSSDtried to set ldap_sudo_search_base with this string and failed. Therefore, SSSD was unable toestablish a connection with the LDAP server and switched to offline mode. With this update,SSSD considers the zero-length namingContexts value the same way as if no value isavailable; thus preventing this bug. Note that this issue was primarily affecting Novell eDirectoryserver users.

BZ#84 0089When the ldap_chpass_update_last_change option was enabled, the shadowLastChangeattribute contained a number of seconds instead of days. Consequently, whenshadowLastChange was in use and the user was prompted to update their expiring password,shadowLastChange was not updated. The user then continued to get an error until they werelocked out of the system. With this update, the number of days is stored in shadowLastChangeattribute and users are able to change their expiring passwords as expected.

BZ#84 7039When the kpasswd server was configured but was unreachable during authentication, SSSDconsidered it the same way as if the KDC server was unreachable. As a consequence, the userfailed to authenticate. Now, SSSD considers an unreachable kpasswd server as a fatal erroronly when performing a password change and users can log in successfully.

BZ#84 704 3Previously, canceling a pthread which was in the midst of any SSS client usage could leave theclient mutex locked. As a consequence, the next call to any SSS function became unresponsive,waiting for the mutex to unlock. With this update, a more robust mutex is used, and cancelingsuch a pthread no longer keeps the client mutex locked.

BZ#872324When SSSD created an SELinux login file, it erroneously kept the file descriptor of this fileopened. As a consequence, the number of the file descriptors used by SSSD increased everytime a user logged in. SSSD now closes the file descriptor when it is no longer needed, thusprotecting it from leaking.

BZ#801719Previously, reverse DNS lookup was not performed to get the Fully Qualified Domain Name(FQDN) of a host specified by an IP address. As a consequence, SSH host public key lookupwas incorrectly attempted with the textual IP address as an FQDN. Reverse DNS lookup is nowperformed to get the FQDN of the host before the SSH host public key lookup. SSH host publickey lookup now functions correctly using the FQDN of the host.

BZ#857108


386




Kerberos options were loaded separately in the krb5 utility and the IPA provider with differentcode paths. The code was fixed in krb5 but not in the IPA provider. Consequently, a Kerberosticket was not renewed in time when IPA was used as an authentication provider. With thisupdate, Kerberos options are loaded using a common API and Kerberos tickets are renewed asexpected in the described scenario.

BZ#84 9081When SSSD was configured to use SSL during communication with an LDAP server and theinitialization of SSL failed, SSSD kept the connection to the LDAP server opened. As aconsequence, the number of connections to the LDAP server was increased with every requestvia SSSD, until the LDAP server ran out of available file descriptors. With this update, when theSSL initialization fails, SSSD closes the connection immediately and the number of connectionsdoes not grow.

BZ#819057If the LDAP provider was configured to use GSSAPI authentication but the first configuredKerberos server to authenticate against was offline, then SSSD did not retry the other, possiblyworking servers. The failover code was amended so that all Kerberos servers are tried whenGSSAPI authentication is performed in the LDAP provider. The LDAP provider is now able toauthenticate against servers that are only configured as failover.

BZ#8224 04Previously, SSSD did not use the correct attribute mapping when a custom schema was used.As a consequence, if the administrator configured SSSD with a custom attribute map, the autofsintegration did not work. The attribute mapping was fixed and SSSD now works with a customattribute schema.

BZ#826192, BZ#827036In some cases, the SSSD responder processes did not properly close the file descriptors theyused to communicate with the client library. As a consequence, the descriptors leaked, and,over time, caused denial of service because SSSD reached the limit of open file descriptorsdefined in the system. SSSD now proactively closes file descriptors that were not active forsome time, making the file descriptor usage consistent.

BZ#82974 2The SSSD back-end process kept a pointer to the server it was connected to in all cases, evenwhen the server entry was about to expire. Most customers encountered this issue when SRVresolution was enabled. As a consequence, when the server entry expired while SSSD wasusing it, the back-end process crashed. An additional check has been added to SSSD to ensurethe server object is valid before using it. SSSD no longer crashes when using SRV discovery.

BZ#82974 0When the SSSD daemon was in the process of starting, the parent processes quit right afterspawning the child process. As a consequence, the init script printed [OK] after the parentprocess terminated, which was before SSSD was actually functional. After this update, theparent processes are not terminated until all worker processes are up. Now, the administratorcan start using SSSD after the init script prints [OK].


387




BZ#836555Previously, SSSD always treated the values of attributes that configure the "shadow" LDAPpassword policy as absolute. As a consequence, an administrator could not configureproperties of the "shadow" LDAP password policy as "valid forever". The LDAP "shadow"password attributes are now extended to also allow "-1" as a valid value and an administratorcan use the reserved value of "-1" as a "valid forever".

BZ#84 2753When a service with a protocol was requested from SSSD, SSSD performed access to anunallocated memory space, which caused it to occasionally crash during service lookup. Now,SSSD does not access unallocated memory and no longer crashes during service lookups.

BZ#84 284 2When the LDAP user record contained an empty attribute, the user was not stored correctly inthe SSSD cache. As a consequence, the user and group memberships were missing. After thisupdate, empty attributes are not considered an error and the user is stored correctly in theSSSD cache. As a result, the user is present and the group membership can be successfullyevaluated.

BZ#84 5251When multiple servers were configured and SSSD was unable to resolve the host name of aserver, it did not try the next server in the list. As a consequence, SSSD went offline even whena working server was present in the configuration file after the one with the unresolvablehostname. SSSD now tries the next server in the list and failover works as expected.

BZ#84 7332Previously, the description of ldap_*_search_base options in the sssd-ldap(5) man page wasmissing syntax details for these options which made it unclear how the search base should bespecified. The description of ldap_*_search_base options in sssd-ldap(5) man page has beenamended so that the format of the search base is now clear.

BZ#811984If the krb5_canonicalize option was set to True or not present at all in the /etc/sssd/sssd.conffile, the client principal could change as a result of the canonicalization. However, SSSD stillsaved the original principal. As the incorrect principal was saved, the GSSAPI authenticationfailed. The Kerberos helper process that saves the principals was amended so that thecanonicalized principal is saved if canonicalization is enabled. The GSSAPI binds now workcorrectly even for cases where the principal is changed as a result of the canonicalization.

BZ#886038Previously, SSSD kept the file descriptors to the log files open. Consequently on occasions likemoving the actual log file and restarting the back end, SSSD still kept the file descriptors open.After this update, SSSD closes the file descriptor after child process execution. As a result, aftersuccessful start of the back end, the file descriptor to log files is closed.

BZ#802718Previously, the proxy domain type of SSSD allowed looking up a user only by its "primary name"in the LDAP server. If SSSD was configured with a "proxy domain" and the LDAP entry


388




contained more name attributes, only the primary one could be used for lookups. For thisupdate, the proxy provider was enhanced to also handle aliases in addition to primary usernames. An administrator can now look up a user by any of his names when using the proxyprovider.

BZ#869013The sudo "smart refresh" operation was not performed if the LDAP server did not contain anyrule when SSSD was started. As a consequence, newly created sudo rules were found after alonger period of time than the "ldap_sudo_smart_refresh_interval" option displayed. The sudo"smart refresh" operation is now performed and newly created sudo rules are found within theldap_sudo_smart_refresh_interval time span.

BZ#790090The SSSD "local" domain (id_provider=local) performed a bad check on the validity of theaccess_provider value. If the access_provider option was set with "permit", which is a correctvalue, SSSD failed with an error. The check for the access_provider option value has beencorrected and SSSD now allows the correct access_provider value for domains withid_provider=local.

BZ#874 579Previously, SELinux usermap contexts were not ordered correctly if the SELinux mappings wereusing HBAC rules as a definition of what users to apply the mapping to and if the IdentityManagement server was not reachable at the same time. As a consequence, an invalid SELinuxcontext could be assigned to a user. SELinux usermap contexts are now ordered correctly, andthe SELinux context is assigned to a user successfully.

BZ#700805If SSSD was configured to locate servers using SRV queries, but the default DNS domain wasnot configured, SSSD printed a DEBUG message. The DEBUG message, which contained an"unknown domain" string, could confuse the user. The DEBUG messages were fixed so thatthey specifically report that the DNS domain is being looked up, and only print known domains.

BZ#8714 24Previously, the chpass_provider directive was missing in the SSSD authconfig API. As aconsequence, the authconfig utility was unable to configure SSSD if the chpass_provider optionwas present in the SSSD configuration file. The chpass_provider option has been included inthe SSSD authconfig API and now the authconfig utility does not consider this option to beincorrect.

BZ#874 618Previously, the sss_cache tool did not accept fully qualified domain names (FQDN). As aconsequence, the administrator was unable to force the expiration of a user record in the SSSDcache with a FQDN. The sss_cache tool now accepts an FQDN and the administrator is able toforce the expiration of a user record in the SSSD cache with an FQDN.

BZ#870039Previously, when the sss_cache tool was run after an SSSD downgrade, the cache fileremained the same as the one used for the previous version of SSSD. The sss_cache tool


389





could not manipulate the cache file and a confusing error message was printed. The "invaliddatabase version" error message was improved in the sss_cache tool. Now, when an invalidcache version is detected, the sss_cache tool prints a suggested solution.

BZ#882923When the proxy provider did not succeed in finding a requested user, the result of the searchwas not stored in the negative cache (which stores entries that are not found when searchedfor). A subsequent request for the same user was not answered by the negative cache, butwas rather looked up again from the remote server. This bug had a performance impact. Theinternal error codes were fixed, allowing SSSD to store search results that yielded no entriesinto the negative cache. Subsequent lookups for non-existent entries are answered from thenegative cache and, by effect, are very fast.

BZ#884 600Previously, during LDAP authentication, SSSD attempted to contact all of the servers on theserver list if every previous server failed. However, SSSD tried to connect to the next serveronly if the current connection timed out. SSSD now tries to contact the next server on any errorand connection attempts work as expected.

BZ#861075When the sssd_be process was forcefully terminated, the SSSD responder processes failed toreconnect if the attempt was performed before the sssd_be process was ready. This causedthe responder to be restarted. Occasionally, the responder restarted several times beforesssd_be was ready, hitting the maximum number of restarts threshold, after which it wasterminated completely. As a consequence, the SSSD responder was not gracefully restarted.After this update, each restart of the SSSD responder process is done with an increasing delay,so that the sssd_be process has enough time to recover before a responder is restarted.

BZ#85834 5Previously, the sssd_pam responder was not properly configured to recover from a back enddisconnection. The PAM requests that were pending before the disconnection were notcanceled. Thus, new requests for the same user were erroneously detected as similarrequests and piled up on top of the previous ones. This caused the PAM operation to time outwith the following error:

Connection to SSSD failed: Timer Expired

As a consequence, the user could not log in. After this update, pending requests are canceledafter disconnection and the user is able to log in when the pam responder reconnects.

BZ#873032Previously, the sss_cache utility was not included in the main SSSD package and users wereunaware of it, unless they installed the sssd-tools package. After this update, the sss_cacheutility has been moved to the sssd package.

BZ#872683When the anonymous bind was disabled and enumeration was enabled, SSSD touched aninvalid array element during enumeration because the array was not NULL terminated. Thiscaused the sssd_be process to crash. The array is now NULL terminated and the sssd_be


390






process does not crash during enumeration when the anonymous bind is disabled.

BZ#870505When SSSD was configured with multiple domains, the sss_cache tool searched for an objectonly in the first configured domain and ignored the others. As a consequence, the administratorcould not use the sss_cache utility on objects from an arbitrary domain. The sss_cache toolnow searches all domains and the administrator can use the tool on objects from an arbitrarydomain.

Enhancements

BZ#768168, BZ#832120, BZ#74 3505A new ID mapping library that is capable of automatically generating UNIX IDs from WindowsSecurity Identifiers (SIDs) has been added to SSSD. An administrator is now able to useWindows accounts easily in a UNIX environment. Also, a new Active Directory provider thatcontains the attribute mappings tailored specifically for use with Active Directory has beenadded to SSSD. When id_provider=ad is configured, the configuration no longer requires settingthe attribute mappings manually. A new provider for SSSD has been implemented and theadministrator can now set up an Active Directory client without having to know the specificActive Directory attribute mappings. The performance of the Active Directory provider is betterthan the performance of the LDAP provider, especially during login.

BZ#7894 70When SSSD failed over to another server in its failover list, it stuck with that server as long as itworked. As a result, if the SSSD failed over to a server in another region, it did not reconnect toa closer server until it was restarted or until the backup server stopped working. The concept ofa "backup server" has been introduced to SSSD and if SSSD fails over to a server which islisted as a backup server in the configuration, it periodically tries to reconnect to one of theprimary servers.

BZ#7894 73A new sss_seed utility has been introduced in SSSD. An administrator can save a pre-seededuser entry into the SSSD cache which is used until the user can actually refresh the entry with anon-pre-seeded entry from the directory.

BZ#768165Active Directory uses a nonstandard format when a large group that does not fit into a single"page" is returned. By default, the single page size contains 1500 members and if theresponse exceeds the page size, the range extension is used. If a group was stored on anActive Directory server which contained more than 1500 members, the response from ActiveDirectory contained the proprietary format which SSSD could not parse. SSSD was improved sothat it is able to parse the range extension and can now process groups with more than 1500group members coming from the Active Directory.

BZ#766000Previously, administrators were forced to distribute SELinux mappings via means that wereerror prone. Therefore, a centralized store of SELinux mappings was introduced to define whichuser gets which context after logging into a certain machine. SSSD is able to read mappings


391








from an Identity Management server, process them according to a defined algorithm and selectthe appropriate SELinux context which is later consumed by the pam_selinux module. TheIdentity Management server administrator is now able to centrally define SELinux contextmappings and the Identity Management clients process the mappings when a user logs in usinghis Identity Management credentials.

BZ#813327The automounter can be configured to read autofs maps from a centralized server such as anLDAP server. But when the network is down or the server is not reachable, the automounter isunable to serve maps. A new responder has been introduced to SSSD that is able tocommunicate with the automounter daemon. Automounter can now request the maps via SSSDinstead of going directly to the server. As a result, the automounter is able to serve maps evenin case of an outage of the LDAP server.

BZ#761573A new sudo responder has been implemented in SSSD as well as a client library in sudo itself.SSSD is able to act as a transparent proxy for serving sudo rules for the sudo binary. Now,when the centralized sudo rules source is not available, for instance when the network is down,SSSD is able to fall back to cached rules, providing transparent access to sudo rules from acentralized database.

BZ#789507Prior to this update, even if a user entry was cached by SSSD, it had to be read from the cachefile on the disk. This caused the cache readings to be slow in some performance-criticalenvironments. A new layer of cache, stored in the memory was introduced, greatly improving theperformance of returning cached entries.

BZ#7714 12The pam_pwd_expiration_warning option can be used to limit the number of days a passwordexpiration warning is shown for. However, SSSD did not allow to unconditionally pass anypassword warning coming from the server to the client. The behavior ofpam_pwd_expiration_warning was modified so that if the option is set to 0, it is always passedon to the client, regardless of the value of the warning. As a result, after setting thepam_pwd_expiration_warning option to 0, the administrator will always see the expirationwarning if the server sends one.

BZ#771975The force_timeout option has been made configurable and the administrator can now changethe force_timeout option for environments where SSSD subprocesses might be unresponsivefor some time.

All users of sssd are advised to upgrade to these updated packages, which correct these issues, fixthese bugs and add these enhancements.

6.239. strace

6.239.1. RHBA-2013:0282 — strace bug fix and enhancement update


392





Updated strace packages that fix two bugs and add one enhancement are now available for Red HatEnterprise Linux 6.

The strace packages provide a utility to intercept and record the system calls called and received by arunning process. The strace utility can print a record of each system call, its arguments and its returnvalue. The strace utility is useful for diagnosing, debugging and instructional purposes.

Bug Fixes

BZ#759569Prior to this update, the strace utility extracted arguments for the "semtimedop" system call fromthe wrong location on the IBM System z platforms. As a consequence, arguments for the"semtimedop" system call were incorrectly displayed. This update modifies strace to extract thearguments from the correct memory location so that the arguments for the "semtimedop"system call are displayed as expected.

BZ#837183Prior to this update, the strace utility used special breakpoints to trace fork/vfork/clone systemcalls. As a consequence, sometimes strace could cause applications to crash when followingfork/vfork/clone system calls. This update modifies strace to use PTRACE_SETOPTIONS toset the behavior at fork/vfork/clone system calls and applications no longer crash.

Enhancement

BZ#809917Prior to this update, strace incorrectly decoded system calls when tracing a 32-bit process on a64-bit machine, because strace on IBM System z platforms is not multi-arch aware. This updateprovides an additional strace executable (strace32) which can be used to trace 32-bitprocesses on 64-bit machines.

All users of strace are advised to upgrade to these updated packages, which fix these bugs and addthis enhancement.

6.240. subscription-manager-migration-data

6.240.1. RHBA-2013:0360 — subscription-manager-migration-data bug fix andenhancement updateAn updated subscription-manager-migration-data package that fixes several bugs and adds variousenhancements is now available for Red Hat Enterprise Linux 6.

The new Subscription Management tooling allows users to understand the specific products, which havebeen installed on their machines, and the specific subscriptions, which their machines consume.


393




The subscription-manager-migration-data package has been upgraded to upstream version1.12.2.5, which provides a number of bug fixes and new product certificates over the previousversion. (BZ#860304, BZ#825603, BZ#872959, BZ#875760)

All users of subscription-manager-migration-data are advised to upgrade to this updated package, whichfixes these bugs adds these enhancements.

6.241. subscription-manager

6.241.1. RHBA-2013:0350 — subscription-manager bug fix and enhancementupdateUpdated subscription-manager packages that fix several bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The subscription-manager packages provide programs and libraries to allow users to managesubscriptions and yum repositories from the Red Hat Entitlement platform.


The subscription-manager packages have been upgraded to upstream version 1.1.15, whichprovides a number of bug fixes and enhancements over the previous version. (BZ#860291)

Bug Fixes

BZ#785265The dbus packages, which contain the D-BUS communication system, are not included in theminimal installation of Red Hat Enterprise Linux. However, the subscription-manager utilitydepends on dbus, which could previously cause subscription-manager to terminateunexpectedly with a traceback during the registration process. The system was registeredsuccessfully but the rhsmcertd daemon was not able to communicate with subscriptionmanager servers, such as candlepin, Subscription Asset Manager, or katello. With this update,subscription-manager exits without a traceback when dbus is not present on the system. Toensure proper communication with the subscription manager servers, install dbus manually byrunning "yum install dbus".

BZ#865954Due to an incorrect error handling of invalid system names, the system could be left in unusablestate during the first boot process. The handling of invalid system names has been fixed andfirst boot proceeds properly as expected.

Enhancements

BZ#874 74 9With this update, the subscribe-manager "unsubscribe" command has been renamed to


394










"remove".

BZ#874 776, BZ#874 804With this update, the subscribe-manager "subscribe" command has been renamed to "attach".This change includes also the references to the "subscribe" command, such as "--auto-subscribe", which has been renamed to "--auto-attach".

All users of subscription-manager are advised to upgrade to these updated packages, which fix thesebugs and add these enhancements.

6.242. sudo

6.242.1. RHBA-2013:0363 — sudo bug fix and enhancement updateUpdated sudo packages that fix several bugs and add various enhancements are now available for RedHat Enterprise Linux 6.

The sudo (super user do) utility allows system administrators to give certain users the ability to runcommands as root.


395





The sudo package has been upgraded to upstream version 1.8.6p3, which provides a number ofbug fixes and enhancements over the previous version. The following list includes highlights,important fixes, or notable enhancements:

Plug-in API has been added, provided by the new sudo-devel subpackage.New /etc/sudo.conf configuration file for the sudo utility front-end configuration (plug-inpath, coredumps, debugging and so on) has been added.It is possible to specify the sudoer's path, UID, GID, and file mode as options to the plug-in inthe /etc/sudo.conf file.Support for using the System Security Services Daemon (SSSD) as a source of sudoers datahas been provided.The -D flag in the sudo utility has been replaced with a more general debugging frameworkthat is configured in the /etc/sudo.conf file.The deprecated noexec_file sudoers option is no longer supported.The noexec functionality has been moved out of the sudoers policy plug-in and into the sudoutility front end, which matches the behavior documented in the plug-in writer's guide. As aresult, the path to the /user/libexec/sudo_noexec.so file is now specified in the /etc/sudo.conf file instead of the /etc/sudoers file.If the user fails to authenticate, and the user's executed command is rejected by the rulesdefined in the sudoers file, the command now allowed error message is now loggedinstead of the previously used <N> incorrect password attempts. Likewise, the mail_no_perms sudoers option now takes precedence over the mail_badpass option.If the user is a member of the exempt group in the sudoers file, he will no longer be promptedfor a password even if the -k option is specified with the executed command. This makes the sudo -k command consistent with the behavior one would get if running the sudo -kcommand immediately before executing another command.If the user specifies a group via the sudo utility's -g option that matches the target user'sgroup in the password database, it is now allowed even if no groups are present in the Runas_Spec.A group ID (%#gid) can now be specified in the User_List or Runas_List files. Likewise,for non-Unix groups the syntax is %:#gid.The visudo utility now fixes the mode on the sudoers file even if no changes are made,unless the -f option is specified.

(BZ#759480)

Bug fixes

BZ#823993The controlling tty of a suspended process was not saved by the sudo utility. Thus, the codehandling the resume operation could not restore it correctly. Consequently, resume was notenabled to a suspended process run through the sudo utility. This bug has been fixed byrebasing to a new upstream version. As a result, suspending and resuming works correctlyagain.

BZ#84 0980A change in the internal execution method of commands in the sudo utility was the cause ofcreating a new process and executing the command from there. To fix this bug, new defaults


396


option was added to restore the old behavior. Since the execution method has beenimplemented to correctly handle PAM session handling, I/O logging, SELinux support, and theplug-in policy close functionality, these features do not work correctly if the newly-implementedoption is used. To apply this option, add the following line to the /etc/sudoers file:

Defaults cmnd_no_wait

As a result, if the newly-implemented option is used, commands will be executed directly by thesudo utility.

BZ#83624 2The sudo utility set the core dump size limit to 0 to prevent the possibility of exposing the userpassword in the core dump file in case of an unexpected termination. However, this limit was notreset to the previous state before executing a command and the core dump size hard limit of achild process was eventually set to 0. Consequently, it was not possible to set the core dumpsize limit by processes run through the sudo utility. This bug was fixed by rebasing to a newupstream version; thus, setting the core dump size limit by processes run through the sudoutility works as expected.

BZ#804 123When initializing the global variable holding the PAM (Pluggable Authentication Modules) handlefrom a child process, which had a separate address space, a different PAM handle was passedto PAM API functions where the same handle was supposed to be used. Thus, the initializationhad no effect on the parent's PAM handle when the pam_end_sessions() function wascalled. As a consequence, dependent modules could fail to iniciate at session close in order torelease resources or make important administrative changes. This bug has been fixed byrebasing to a newer upstream version, which uses the PAM API correctly (for example,initializes one PAM handle and uses it in all related PAM API function calls). As a result, PAMsessions are now closed correctly.

BZ#860397Incorrect file permissions on the /etc/sudo-ldap.conf file and missing examples in thesame file led to an inconsistency with documentation provided by Red Hat. With this update, filepermissions have been corrected and example configuration lines have been added. As aresult, /etc/sudo-ldap.conf is now consistent with the documentation.

BZ#84 4 691When the sudo utility set up the environment in which it ran a command, it reset the value of theRLIMIT_NPROC resource limit to the parents value of this limit if both the soft (current) andhard (maximum) values of RLIMIT_NPROC were not limited. An upstream patch has beenprovided to address this bug and RLIMIT_NPROC can now be set to "unlimited".

BZ#879675Due to different parsing rules for comments in the /etc/ldap.conf file, the hash ('#')character could not be used as part of a configuration value, for example in a password. It wasunderstood as a beginning of a comment and everything following the # character was ignored.Now, the parser has been fixed to interpret the # character as a beginning of a comment only ifit is at the beginning of a line. As a result, the '#' character can be used as part of a password,or any other value if needed.


397



BZ#87274 0White space characters included in command arguments were not escaped before beingpassed to the specified command. As a consequence, incorrect arguments were passed to thespecified command. This bug was fixed by rebasing to a new upstream version where theescape of command arguments is performed correctly. As a result, command argumentsspecified on the command line are passed to the command as expected.

Enhancements

BZ#789937The sudo utility is able to consult the /etc/nsswitch.conf file for sudoers entries and lookthem up in files or via LDAP (Lightweight Directory Access Protocol). Previously, when a matchwas found in the first database of sudoers entries, the look-up operation still continued in otherdatabases. In Red Hat Enterprise Linux 6.4, an option has been added to the /etc/nsswitch.conf file that allows users to specify a database after which a match of thesudoer's entry is sufficient. This eliminates the need to query any other databases; thusimproving the performance of sudoer's entry look up in large environments. This behavior is notenabled by default and must be configured by adding the [SUCCESS=return] string after aselected database. When a match is found in a database that directly precedes this string, noother databases are queried.

BZ#84 6117This update improves sudo documentation in the section describing wildcard usage, describingwhat unintended consequences a wildcard character used in the command argument can have.

Users of sudo should upgrade to these updated packages, which fix these bugs and add theseenhancements.

6.243. sysfsutils

6.243.1. RHBA-2012:1453 — sysfsutils bug fix updateUpdated sysfsutils packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The sysfsutils packages provide a suite of daemons to manage access to remote directories andauthentication mechanisms. The sysfsutils suite provides an NSS and PAM interface toward the systemand a pluggable backend system to connect to multiple different account sources. It is also the basis toprovide client auditing and policy services for projects like FreeIPA.

Bug FixBZ#671554

Prior to this update, sysfs directories were not closed as expected. As a consequence, thelibsysfs library could leak memory in long running programs that frequently opened and closedsysfs directories. This update modifies the underlying code to close sysfs directories asexpected.


398




All users of sysfsutils are advised to upgrade to these updated packages, which fix this bug.

6.244. syslinux

6.244.1. RHBA-2013:0473 — syslinux bug fix updateUpdated syslinux packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The syslinux utility is responsible for booting the operating system kernel.

Bug Fix

BZ#812034A Coverity test revealed several static overruns in the creation of "hybrid" ISO images, whichcould lead to incorrect images being created. This bug has been fixed to correctly produce"hybrid" ISO images.

All users of syslinux are advised to upgrade to these updated packages, which fix this bug.

6.245. system-config-kdump

6.245.1. RHBA-2013:0292 — system-config-kdump bug fix and enhancementupdateUpdated system-config-kdump packages that fix three bugs and add one enhancement are nowavailable for Red Hat Enterprise Linux 6.

The system-config-kdump packages provide a graphical tool to configure kernel crash dumping viakdump and kexec.

Bug Fixes

BZ#811104An attempt to use system-config-kdump on the IBM System z machines caused an errormessage to appear. As a consequence, users were unable to choose the specific kernel. Thisbug has been fixed and the user can choose the required kernel in this situation.

BZ#829386On IBM PowerPC computers, the system-config-kdump tool used the first crashkernelparameter instead of the last one and a traceback was returned when crashkernel value wasset to "auto". With this update, system-config-kdump uses the last crashkernel parameter andallows this parameter to be set to "auto". As a result, tracebacks are no longer returned in thedescribed scenario.

BZ#858280Because some actions take longer time to finish, and the return timeout value was set too low,the front end did not receive an answer in an appropriate time, and displayed an error message.The return timeout has been set to 5 minutes and system-config-kdump works as expectednow.


399



Enhancement

BZ#852766This enhancements adds support for firmware-assisted dump (fadump) for IBM PowerPCcomputers. The user is now also allowed to choose between kdump and fadump.

All users of system-config-kdump are advised to upgrade to these updated packages, which fix thesebugs and add this enhancement.

6.246. system-config-kickstart

6.246.1. RHEA-2013:0470 — system-config-kickstart enhancement updateAn updated system-config-kickstart package that adds one enhancement is now available for Red HatEnterprise Linux 6.

The system-config-kickstart package contains Kickstart Configurator, a graphical tool for creatingkickstart files.

Enhancement

BZ#819813This update contains a complete Assamese translation of the system-config-kickstart package.

Users requiring Assamese translation of system-config-kickstart are advised to upgrade to this updatedpackage, which adds this enhancement.

6.247. system-config-language

6.247.1. RHBA-2012:1213 — system-config-language bug fix updateAn updated system-config-language package that fixes one bug is now available for Red Hat EnterpriseLinux 6.

The system-config-language is a graphical user interface that allows the user to change the defaultlanguage of the system.

Bug FixBZ#819811

When using system-config-language in a non-English locale, some of the messages in the GUIwere not translated. Consequently, non-English users were presented with untranslatedmessages. With this update, all message strings have been translated.

All users of system-config-language are advised to upgrade to this updated package, which fixes thisbug.


400



6.248. system-config-lvm

6.248.1. RHBA-2013:0385 — system-config-lvm bug fix updateUpdated system-config-lvm packages that fix three bugs are now available for Red Hat Enterprise Linux6.

The system-config-lvm packages contain a utility for configuring logical volumes (LVs) using a graphicaluser interface.

Bug Fixes

BZ#852864When there was a RAID1 mirrored volume created using the lvm utility, system-config-lvm didnot start correctly. The underlying source code has been modified to prevent system-config-lvmfrom terminating unexpectedly. The RAID1 volumes are now shown properly, however, they arevisible as its underlying logical volumes.

BZ#820539During an attempt to work with a mirror log, the system-config-lvm utility failed on start. This bughas been fixed and mirrored volumes are now supported as expected.

BZ#84 0070Due to a bug in the best_fit() function, which tried to fit all existing logical volumes (LVs) into thedisplay area, system-config-lvm did not start correctly on systems with large amount of existingLVs. This bug has been fixed and system-config-lvm is fully functional even on systems withmore then 350 LVs.

All users of system-config-lvm are advised to upgrade to these updated packages, which fix these bugs.

6.249. system-config-users

6.249.1. RHBA-2012:1387 — system-config-users bug fix updateUpdated system-config-users packages that fix three bugs are now available for Red Hat EnterpriseLinux 6.

The system-config-users packages provide a graphical utility for administrating users and groups.

Bug FixesBZ#736037

Prior to this update, expiration dates at or before January 1, 1970 were not correctly calculated.As a consequence, the system-config-users utility stored expiration dates off by one day into/etc/shadow. This update modifies the underlying code so that account expiration dates arecalculated and stored correctly.

BZ#801652Prior to this update, a string in the user interface was not correctly localized into Japanese.This update modifies the string so that the text is now correct.


401






BZ#84 1886Prior to this update, the system-config-users utility determined incorrectly whether to set anaccount as inactive if an expired password was not reset during a specified period. This updatemodifies the underlying code to check for this condition by hard-coding the value whichindicates this condition.

All users of system-config-users are advised to upgrade to these updated packages, which fix thesebugs.

6.250. systemtap

6.250.1. RHBA-2013:0345 — systemtap bug fix and enhancement updateUpdated systemtap packages that fix several bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

SystemTap is a tracing and probing tool to analyze and monitor activities of the operating system,including the kernel. It provides a wide range of filtering and analysis options.


The systemtap packages have been upgraded to upstream version 1.8, which provides a numberof bug fixes and enhancements over the previous version. (BZ#843123)

Bug Fixes

BZ#74 6334Many of the SystemTap examples for memory used tracepoints which did not exist in someversions of kernel. Consequently, if the user tried to run the mmanonpage.stp, mmfilepage.stp,or mmwriteback.stp files, this process failed. The examples have been updated to work with thememory tracepoints available in Red Hat Enterprise Linux 6 and SystemTap now works asexpected.

BZ#822503Previously, support for the IPv6 protocol was missing. Consequently, an attempt to execute ascript that evaluates a tapset variable containing an IPv6 address, or call a tapset functionreturning an IPv6 address was unsuccessful, and the address field was filled with the"Unsupported Address Family" message instead of a valid IPv6 address. This update adds thesupport for the IPv6 protocol.

BZ#824 311Previously, changes in the include/trace/events/sunrpc.h file were referenced, but were notdefined by the #include directive. As a consequence, the rpc tracepoint was missing. Thistracepoint has been defined using #include and SystemTap works correctly in this situation.

BZ#828103In previous kernels and versions of SystemTap, the nfsd.open probe-alias in the nfsd tapset


402



referred to the "access" parameter, which was later renamed to "may_flags" in the kernel.Consequently, the semantic errors occurred and then the stap command failed to execute. Thisupdate allows the nfsd.open probe-alias check under both names for setting the "access"script-level variable, and stap now works as expected in the described scenario.

BZ#884 951Recent kernel updates required updates to some of the NFS tapset definitions to find certaincontext variables. With this update, the tapset aliases now search both old and new locations.

All users of systemtap are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.251. tar

6.251.1. RHBA-2012:1372 — tar bug fix updateUpdated tar packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The tar packages provide the GNU tar program. Gnu tar can allows to save multiple files in one archiveand can restore the files from that archive. This update fixes the following bug:

BZ#84 1308Prior to this update, tar failed to match and extract given file names from an archive when thisarchive was created with the options "--sparse" and "--posix". This update modifies theunderlying code to match and extract the given name as expected.

All users of tar are advised to upgrade to these updated packages, which fix this bug.

6.251.2. RHBA-2013:0489 — tar bug fix updateUpdated tar packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The tar packages provide the GNU tar utility, which allows the user to save multiple files in one archiveand can restore the files from that archive.

Bug Fixes

BZ#875727When the "--strip-components" command-line parameter was used, the tar utility was unable tocorrectly match a file name that had to be extracted and the action failed. This bug has beenfixed and tar now matches file names as expected in the described scenario.

BZ#877769When the "--listed-incremental" command-line parameter was used and a file was specifiedmultiple times, tar terminated unexpectedly with a segmentation fault. The underlying sourcecode has been modified and tar no longer crashes under these circumstances.

All users of tar are advised to upgrade to these updated packages, which fix these bugs.


403





6.252. tboot

6.252.1. RHBA-2013:0524 — tboot bug fix updateUpdated tboot packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The tboot packages provide the Trusted Boot (tboot) open source pre-kernel/VMM module. This moduleuses Intel Trusted Execution Technology (Intel TXT) to initialize the launch of operating system kernelsand virtual machines.

Bug Fixes

BZ#885684Due to an error in the underlying source code, a buffer overflow could occur and an attempt toboot the kernel with tboot enabled could fail with the following error:

Kernel panic - not syncing: Too many boot init vars at `numbers,'

This update applies an upstream patch that corrects this error, and the kernel now boots asexpected.

BZ#834 323Prior to this update, the installed README file incorrectly identified the supported kernels. Thisupdate corrects this file and ensures that it no longer contains incorrect information.

All users of tboot are advised to upgrade to these updated packages, which fix these bugs.

6.253. tcsh

6.253.1. RHBA-2013:0446 — tcsh bug fix updateUpdated tcsh packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.

The tcsh packages provide an enhanced and compatible version of the C shell (csh) commandlanguage interpreter, which can be used as an interactive login shell, as well as a shell script commandprocessor.

Bug Fixes

BZ#769157Prior to this update, the tcsh command language interpreter could run out of memory becauseof random "sbrk()" failures in the internal "malloc()" function. As a consequence, tcsh couldabort with a segmentation fault. This update uses "system malloc" instead and tcsh no longeraborts.

BZ#814 069Prior to this update, aliases were inserted into the history buffer when saving the history inloops if the alias included a statement that did not work in the loop. This update no longerallows to save the history in loops. Now, only the first line of loops and the "if" statement aresaved in the history. Aliases now work as expected.


404



BZ#821796Prior to this update, casting was removed when calling a function in the history file lockingpatch. As a consequence, multibyte tests failed. This update reverts the status before the patchand tests no longer fail.

BZ#84 7102Prior to this update, the tcsh logic did not handle file sourcing as expected. As a consequence,source commands failed when using a single-line "if" statement. This update modifies theunderlying code to handle source commands as expected.

BZ#884 937Prior to this update, the SIGINT signal was not blocked when the tcsh command languageinterpreter waited for the child process to finish. As a consequence, tcsh could be aborted withthe key combination Ctrl+c. This update blocks the SIGINT signal and tcsh is no longer aborted.

All users of tcsh are advised to upgrade to these updated packages, which fix these bugs.

6.254. tigervnc

6.254.1. RHBA-2013:0478 — tigervnc bug fix and enhancement updateUpdated tigervnc packages that fix two bugs and add one enhancement are now available for Red HatEnterprise Linux 6.

Virtual Network Computing (VNC) is a remote display system which allows you to view a computing'desktop' environment not only on the machine where it is running, but from anywhere on the Internet andfrom a wide variety of machine architectures. This package contains a client which will allow you toconnect to other desktops running a VNC server.

Bug Fixes

BZ#688624When the Xvnc server was started by the vncserver init script, but no password file existed, theinitscript failed without displaying a message. This bug is now fixed and the "VNC password foruser is not configured" message appears when the password is not configured for the Xvncsession.

BZ#84 3714Previously, the user was not allowed to change the value of the AcceptPointerEvents parameterwhile Xvnc was running. As a consequence, when the "vncconfig -set AcceptPointerEvents=1"command was used to enable and "vncconfig -set AcceptPointerEvents=0", to disable mouseinput for VNC session, it failed with an error message, similar to the following:

Setting param AcceptPointerEvents=0 failed

Now the user is allowed to change the value of the AcceptPointerEvents parameter and themouse input for a VNC session can be enabled or disabled while Xvnc is running.


405





Enhancement

BZ#84 4 4 86The tigervnc packages have been updated to match the latest X server version.

Users of tigervnc are advised to upgrade to these updated packages, which fix these bugs and add thisenhancement.

6.255. tog-pegasus

6.255.1. RHBA-2013:0418 — tog-pegasus bug fix and enhancement updateUpdated tog-pegasus packages that fix several bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.

OpenPegasus Web-Based Enterprise Management (WBEM) Services for Linux enables managementsolutions that deliver increased control of enterprise resources. WBEM is a platform and resourceindependent of Distributed Management Task Force (DMTF) standard that defines a commoninformation model and communication protocol for monitoring and controlling resources from diversesources.


The tog-pegasus package has been upgraded to upstream version 2.12.0, which provides anumber of bug fixes and enhancements over the previous version. (BZ#739118, BZ#825471)

Bug Fixes

BZ#812892Previously, non-array properties of CMPI instances were not checked for NULL values in thecimserver daemon (OpenPegasus CIM server). This led to an unexpected termination ofcimserver. This update provides an upstream patch for cimserver. Now, cimserver correctlyreturns instances with non-array properties including those containing NULL values.

BZ#869664Prior to this update, all connections to cimserver were considered local host. Consequently,cimsever could not discern between local and remote connections and between granted anddenied access. A patch has been provided to fix this bug. Now, cimserver is again capable ofrecognizing whether, firstly, connections are local or remote and, secondly, whether the accessper user will be granted or denied.

Enhancement

BZ#7164 74The cimserver daemon uses all of well-known ports based on CIM/WBEM technology fornetwork communication. This update provides the user with an option to configure, whichinterfaces have to be used and to restrict cimserver to listen only on selected networkinterfaces.


406


Users of tog-pegasus are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.256. tomcat6

6.256.1. RHBA-2013:0480 — tomcat6 bug fix updateUpdated tomcat6 packages that fix several bugs are now available for Red Hat Enterprise Linux 6.

The tomcat6 packages provide Apache Tomcat 6, which is a servlet container for the Java Servlet andJavaServer Pages (JSP) technologies.

Bug Fixes

BZ#57654 0On Red Hat Enterprise Linux, Apache Tomcat initscripts should be located in the /etc/rc.d/init.ddirectory. However, the comman initscript was previously located in the /etc/init.d directory dueto a mistake in the package specs file. With this update, the specs file has been updated andthe conman script is located in the /etc/rc.d/init.d directory along with other initscripts asexpected.

BZ#84 7288When a web application used its own class loader, a deadlock in Tomcat WebappClassLoadercould occur when compiling JSPs due to a synchronization bug. This update fixes thesynchronization bug and external class loaders no longer interfere with WebappClassLoader.

BZ#798617The service status returned an incorrect tomcat6 status when TOMCAT_USER in the/etc/tomcat6/tomcat6.conf file was changed to a user whose UID differed from the user GID dueto incorrect logic in retrieving the process details. With this update, the code has been modifiedand the correct service status is now returned in this scenario.

BZ#785954When Tomcat attempted to import a non-existing page with JavaScript fragments in the URLparameters, it returned a message that the resource was not available. This update addsHTML filtering to Tomcat and the servlet container now correctly returns the message that theresource is missing in this scenario.

Users of tomcat6 are advised to upgrade to these updated packages, which fix these bugs.

6.257. trace-cmd

6.257.1. RHBA-2013:0423 — trace-cmd bug fix and enhancement updateUpdated trace-cmd packages that fix two bugs and add one enhancement are now available for Red HatEnterprise Linux 6.


407



The trace-cmd packages contain a command-line tool that interfaces with the ftrace utility in the kernel.

Bug Fixes

BZ#74 6656The trace-cmd extract command read a buffer multiple times even after an EOF condition.Consequently, the output of the trace-cmd command contained duplicate data. With this update,the trace-cmd utility has been modified to respect the EOF condition and avoid duplication ofdata in its output.

BZ#879792When using the latency tracer, the start_threads() function was not called. Calling thestop_threads() function without first calling start_threads() caused the trace-cmd recordcommand to terminate with a segmentation fault because PIDs were not initialized.Consequently, the trace.dat file was not generated. With this update, stop_threads() is notcalled unless start_threads() is called first. As a result, the segmentation fault no longer occurs.

Enhancement

BZ#83874 6Previously, the trace-cmd record command was able to filter ftrace data based on a single PIDonly. With this update, multiple PIDs can be specified by using the "-P" option.

Users of trace-cmd are advised to upgrade to these updated packages, which fix these bugs and addthis enhancement.

6.258. tuned

6.258.1. RHBA-2013:0538 — tuned bug fix updateUpdated tuned packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

The tuned packages contain a daemon that tunes system settings dynamically. It does so by monitoringthe usage of several system components periodically.

Bug Fixes

BZ#907856Previously, the ktune service did not save readahead values. On startup, it multiplied the currentvalue by a constant and divided the value by the same constant on stop. This could result in awrong value being set on devices that were added after ktune had been started. Now, theprevious readahead values are stored for all devices and the correct values are restored onktune stop.

BZ#907768Previously, when multiple devices were added into the system, a udev rule restarted ktune foreach new device. This could lead to many restarts in a short period of time. The multiplerestarts could trigger a race condition in the kernel, which cannot be currently fixed. The tuneddaemon code has been modified not to trigger more than one restart per 10 seconds, thus


408





preventing the race condition from occurring.

Users of tuned are advised to upgrade to these updated packages, which fix these bugs.

6.258.2. RHBA-2013:0386 — tuned bug fix updateUpdated tuned packages that fix several bugs are now available for Red Hat Enterprise Linux 6.

The tuned packages contain a daemon that tunes system settings dynamically. It does so by monitoringthe usage of several system components periodically.

Bug Fixes

BZ#714 180Red Hat Enterprise Linux 6.1 and later enters processor power-saving states moreaggressively. This could result in a small performance penalty on certain workloads. With thisupdate, the pmqos-static.py daemon has been added to the tuned packages, which allows toset the requested latency using the kernel Power Management QoS interface. It is run when the"latency-performance" profile is activated and it sets cpu_dma_latency=0, which keeps the CPUin C0 state, thus making the system as responsive as possible.

BZ#784 308When the ELEVATOR_TUNE_DEVS option was set to a disk device in the /etc/sysconfig/ktunefile instead of providing a disk scheduler control file, the scheduler setting was not written to adisk scheduler control file but directly into the disk device file. Consequently, contents of thedisk could become corrupted. With this update, the value of ELEVATOR_TUNE_DEVS ischecked and only the disk scheduler control file is allowed for writing. As a result, an invalidvalue of ELEVATOR_TUNE_DEVS is detected in the described scenario so that the diskcontents damage can be prevented.

BZ#801561When the tuned daemon run with the "enterprise-storage" profile enabled and a non-root, non-boot disk partition from a device with write-back cache was mounted, tuned remounted thepartition with the "nobarriers" option. If a power failure occurred at that time, the file systemcould become corrupted. With this update, tuned can detect usage of write-back cache ondevices communicating with kernel via SCSI. In these cases, "nobarriers" is now disabled, thuspreventing this bug in the described scenario.

BZ#84 5336Previously, when the tuned service was started, the tuned PID file was created with world-writable permissions. This bug has been fixed and the /var/run/tuned/tuned.pid file is nowcreated with correct permissions as expected.

BZ#84 74 4 5On a machine with hot-plug disk devices with the "enterprise-storage" profile activated, a newdisk device could be added into the system, or the disk could be removed and inserted back. Insuch a scenario, the scheduler and read-ahead settings from the profile were not applied onthe newly-added disks. With this update, a new udev rule has been added, which restarts thektune daemon whenever a new disk device is added, thus fixing this bug.


409





BZ#887355The transparent hugepage kernel thread could interfere with latency-sensitive applications. Tolower the latency, the transparent hugepages are now disabled in the latency-performancetuned profile.

BZ#886956Previously, non-root, non-boot partitions were re-mounted using the "nobarrier" option toimprove performance. On virtual guests, this could lead to data corruption if power supply wassuddenly interrupted, because there was usually a host cache in transfer. This bug has beenfixed and the virtual-guest profile no longer re-mounts partitions using "nobarrier".

Users of tuned are advised to upgrade to these updated packages, which fix these bugs.

6.259. udev

6.259.1. RHBA-2013:0435 — udev bug fix and enhancement updateUpdated udev packages that fix several bugs and add one enhancement are now available for Red HatEnterprise Linux 6.

The udev packages implement a dynamic device directory, providing only the devices present on thesystem. This dynamic directory is managed in user space, dynamically creates and removes devices,provides consistent naming, and a user-space API.

Bug Fixes

BZ#784 697Previously, the /dev/disk/by-id file contained all expected symbolic links for cciss devices, butonly one device link was present in the /dev/disk/by-path/ directory. This bug has been fixedand this file now contains all symbolic links as expected.

BZ#790321The udev(7) man page did not document the hex encoding of blacklisted characters used in thedevice or symbolic link names. This update adds a paragraph about character encoding into theSYMLINK section of the udev(7) man page.

BZ#829188Due to a bug in the binutils linker, the libudev library lost the ExecShield (GNU_RELRO) sectionand was not protected by the ExecShield security mechanism. This update contains libudevwith the ExecShield (GNU_RELRO) section included.

BZ#8384 51When using multipath devices, the udev utility tried to make a UUID symbolic link for all thedifferent paths, but only the first one succeeded. Consequently, udev wrote several "File exists"error messages to the system log. This update provides a patch to change these messagesfrom being logged as an error message to being logged as an informational message.

BZ#84 7925


410





When no medium was inserted in a drive, the cdrom_id utility, which is an udev helper tool, couldnot read DV and CD-ROM drive profiles. Consequently, the udev properties for the device nodeof the drive may not have contained all properties describing the capabilities of the drive, whichcould prevent other software using the udev database from offering all functionality for the drive.This bug has been fixed and all udev properties for the drive, which cdrom_id detects viadrive's properties, are now stored for the device as expected.

Enhancement

BZ#826396Previously, kernel messages showed device names instead of persistent device namesprovided by udev. As a consequence, device names could point to different devices every boot.This enhancement adds a new feature, which stores the mapping of device names, such assda or sdb, and persistent device names to kernel messages.

All users of udev are advised to upgrade to these updated packages, which fix these bugs and add thisenhancement.

6.260. usbredir

6.260.1. RHBA-2013:0346 — usbredir bug fix and enhancement updateUpdated usbredir packages that fix several bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The usbredir packages provide a protocol for redirection of USB traffic from a single USB device to adifferent virtual machine then the one to which the USB device is attached. The usbredir packagescontain a number of libraries to help implement support for usbredir.


The usbredir packages have been upgraded to upstream version 0.5.1, which provides a numberof bug fixes and enhancements over the previous version. (BZ#842356)

Bug Fixes

BZ#834 560Due to a bug in the libusbredirhost library, handling of timeouts for bulk transfers did not workcorrectly. Consequently, traffic of USB ACM serial port devices, such as PSTN modems andSmartCard readers, could not be properly redirected. With this update, no timeout is set on theusb-host side for these devices and the traffic redirection works as expected.

BZ#855737The usbredir code was allocating an unlimited amount of write buffers. Consequently, when aUSB webcam produced data faster then it could be written out, the write queue grewboundlessly and the remote-viewer utility used an enormous amount of RAM. The underlyingsource code has been modified so that usbredir now checks how large the write queue is anddrops isochronous data packets when the queue is too long.


411





Enhancement

BZ#84 2316Support for live migration of SPICE USB redirection requires support for state serialization. Thisupdate adds this missing support to the libusbredirparser library.

All users of usbredir are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.261. util-linux-ng

6.261.1. RHSA-2013:0517 — Low: util-linux-ng security, bug fix and enhancementupdateUpdated util-linux-ng packages that fix multiple bugs and add various enhancements are now availablefor Red Hat Enterprise Linux 6.


The util-linux-ng packages contain a large variety of low-level system utilities that are necessary for aLinux operating system to function.

Security Fix

CVE-2013-0157An information disclosure flaw was found in the way the mount command reported errors. Alocal attacker could use this flaw to determine the existence of files and directories they do nothave access to.

Bug Fixes

BZ#790728Previously, the blkid utility ignored swap area UUIDs if the first byte was zero. As aconsequence, the swap areas could not be addressed by UUIDs; for example, from the /etc/fstab file. The libblkd library has been fixed and now swap partitions are labeled with avalid UUID value if the first byte is zero.

BZ#818621Previously, the lsblk utility opened block devices to check if the device was in read-only mode,although the information was available in the /sys file system. This resulted in unexpectedSELinux alerts and unnecessary open() calls. Now, the lsblk utility does not performunnecessary opening operations and no longer reads the information from the /sys file system.

BZ#73624 5On a non-uniform CPU configuration, for example on a system with two sockets with a different


412






number of cores, the lscpu command failed unexpectedly with a segmentation fault and a coredump was generated. After this update, when executing the lscpu command on such aconfiguration, the correct result is printed and no core dump is generated.

BZ#837935On a system with a large number of active processors, the lscpu command failedunexpectedly with a segmentation fault and a core dump was generated. This bug is now fixedand the lscpu command now works as expected on this configuration.

BZ#81994 5Executing the hwclock --systz command to reset the system time based on the current timezone caused the clock to be incorrectly adjusted by one hour. This was because hwclock didnot adjust the system time during boot according to the "warp clock" semantic described in the settimeofday(2) man page. With this update, hwclock correctly sets the system time whenrequired.

BZ#84 54 77When SElinux options were specified both in the /etc/fstab file and on the command line,mounting failed and the kernel logged the following error upon running dmesg:

SELinux: duplicate or incompatible mount options

The handling of SElinux options has been changed so that options on the command line nowreplace options given in the /etc/fstab file and as a result, devices can be mountedsuccessfully.

BZ#84 5971Due to a change in the search order of the mount utility, while reading the /etc/fstab file, the mount command returned a device before a directory. With this update, the search order hasbeen modified and mount now works as expected.

BZ#858009Previously, any new login or logout sequence by a telnet client caused the /var/run/utmp fileto increase by one record on the telnetd machine. As a consequence, the /var/run/utmp filegrew without a limit. As a result of trying to search though a huge /var/run/utmp file, themachine running telnetd could experience more severe side-effects over time. For example,the telnetd process could become unresponsive or the overall system performance coulddegrade. The telnetd now creates a proper record in /var/run/utmp before starting thelogging process. As a result, the /var/run/utmp does not grow without a limit on each newlogin or logout sequence of a telnet session.

BZ#730891, BZ#783514 , BZ#809139, BZ#820183, BZ#839281Man pages of several utilities included in the package have been updated to fix minor mistakesand add entries for previously undocumented functionalities.

Enhancements


413



BZ#719927A new --compare option for hwclock to compare the offset between system time andhardware clock has been added due to a discontinued distribution of adjt imex in Red HatEnterprise Linux 6.0 and later, which had previously provided this option.

BZ#8094 4 9The lsblk command now supports a new option, --inverse, used to print dependenciesbetween block devices in reverse order. This feature is required to properly reboot or shutdown systems with a configured cluster.

BZ#823008The lscpu utility, which displays detailed information about the available CPUs, has beenupdated to include numerous new features. Also, a new utility, chcpu, has been added, whichallows the user to change the CPU state (online or offline, standby or active, and other states),disable and enable CPUs, and configure specified CPUs. For more information about theseutilities, refer to the lscpu(1) and chcpu(8) man pages.

Users of util-linux-ng are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.262. valgrind

6.262.1. RHBA-2013:0347 — valgrind bug fix and enhancement updateUpdated valgrind packages that fix several bugs and add an enhancement are now available for RedHat Enterprise Linux 6.

The valgrind packages provide a programming utility for debugging memory, detecting memory leaks,and profiling.


The valgrind packages have been upgraded to upstream version 3.8.1, which provides a numberof bug fixes over the previous version. (BZ#823005)

Bug Fixes

BZ#730303When running a large program under valgrind, the "Valgrind: FATAL: VG_N_SEGNAMES is toolow." error messages could be returned. With this update, the compile time constants havebeen increased (VG_N_SEGMENTS to 50000, VG_N_SEGNAMES to 25000) and these errorsno longer occur.

BZ#862795Previously, the valgrind gdbserver did not properly report exit or a fatal-signal processtermination to the gdb debugger. Consequently, the "Remote connection closed" errormessages were returned. This bug has been fixed in the code and the process termination is


414




now properly reported in gdb.

BZ#81624 4On IBM S/390 architecture, valgrind could report a "Conditional jump or move depends onuninitialized value(s)" warning message for the tsearch() function in glibc. This update includesa standard suppression for these warning messages, which are no longer reported.

Enhancement

BZ#672959The embedded gdbserver has been added to allow integration of valgrind with the gdbdebugger.

Users of valgrind are advised to upgrade to these updated packages, which fix these bugs and add thisenhancement.

6.263. vgabios

6.263.1. RHBA-2013:0487 — vgabios bug fix updateAn updated vgabios package that fixes one bug is now available for Red Hat Enterprise Linux 6.

The vgabios package provides a GNU Lesser General Public License (LPGL) implementation of a BIOSfor video cards. The vgabios package contains BIOS images that are intended to be used in the KernelVirtual Machine (KVM).

Bug Fix

BZ#84 0087Previously, an attempt to boot a Red Hat Enterprise Virtualization Hypervisor ISO in a virtualmachine was unsuccessful. The boot menu appeared but then stopped responding. Theunderlying source code has been modified and the virtual machine now works as expected inthe described scenario.

All users of vgabios are advised to upgrade to this updated package, which fixes this bug.

6.264. virtio-win

6.264.1. RHBA-2013:0441 — virtio-win bug fix and enhancement updateUpdated virtio-win packages that fix multiple bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The virtio-win packages provide paravirtualized network drivers for most Microsoft Windows operatingsystems. Paravirtualized drivers are virtualization-aware drivers used by fully virtualized guests runningon Red Hat Enterprise Linux. Fully virtualized guests using the paravirtualized drivers gain significantlybetter I/O performance than fully virtualized guests running without the drivers.


415





https://rhn.redhat.com/errata/RHBA-2013-0441

Bug Fixes

BZ#7504 21Prior to this update, a Windows Server 2003 guest could become suspended when rebooting ifthe balloon size was changed before, due to a lack of free memory. This update releases thememory to the guest before processing the power management request.

BZ#760022Prior to this update, the virt io-win floppy disk did not contain NDIS drivers for Windows XP andWindows 7 platforms due to a lack of free space on VFD media. This update modifies theunderlying code and switches to 2.88 MB media instead of 1.44 MB.

BZ#768795Prior to this update, the work items processed the inflate and deflate requests. As aconsequence, a stop error could occur when several requests were executed simultaneously.This update uses a dedicated thread instead of work items to process the inflate and deflate requests in sequence.

BZ#8054 23Prior to this update, the port surprise-removal handler did not stop and purge the write and read queues. As a consequence, requests could be send to already removed devices. Thisupdate modifies the underlying code to stop and purge the write and read queues asexpected and requests are no longer sent to removed devices.

BZ#807967, BZ#875155Prior to this update, the initialization sequence of the virt io-net driver did not work properlyafter disabling and enabling virt io-net , or when resetting the power management. As aconsequence, the first packets that were sent through the DHCP client could, under certaincircumstances, become suspended in the queue and the DHCP client did not receive the IPaddress. With this update, the initialization sequence has been fixed and virt io-net now worksas expected in the described scenario.

BZ#814 896Prior to this update, the virt io queue was not correctly reinitialized during the resume routine.As a consequence, ports could not handle the read requests correctly. This update adds thecorrect virtual queue for re-initialization when resuming after hibernation.

BZ#815295On Microsoft Windows 7 operating system, a driver disregarded platform requests to indicateonly a certain number of packets during one DPC (Deferred Procedure Call). As aconsequence, the Windows Hardware Quality Labs (WHQL) test failed and the platform did notmoderate the driver workload for the RX path. This update modifies the underlying code toimplement packet indication moderation and the WHQL certification now passes in thedescribed scenario.

BZ#824 814Prior to this update, the viostor driver did not handle configuration change events as


416









expected. Consequently, when a relevant image was resized on-line, viostor left itunattended. This update modifies the underlying code to reset the bus sequence whenchanging the configurations and the driver can now recognize that media has been resized.

BZ#831570Prior to this update, the work items processed the inflate and deflate requests. As aconsequence, the inflate and deflate requests could be executed simultaneously withPnP and Power management (PM) handlers. This update uses a dedicated thread instead ofwork items to process the PnP and PM requests only after all other pending requests arecompleted.

BZ#83914 3Prior to this update, the balloon driver failed to keep the current balloon size betweenhibernation-resume cycles and restarts. This update keeps the current balloon size betweenrestarts and hibernation-resume cycles and adjusts the balloon size according to this value.

Enhancements

BZ#782268This update introduces the vioscsi.sys driver to virtio-win packages to provide virt io-scsifunctionality to Microsoft Windows platforms.

BZ#828275This update adds support for the virt io control queue to offload RX filtering to the host.

BZ#834 175This update supports all possible offload combinations and offload parities between IPv4 andIPv6 for Windows certification 2012 and Windows 8 certification.

BZ#838005This update adds offloads for IPv6 to virtio packages.

BZ#908163This update adds virtual floppy drive drivers for Windows Server 2008 R2 guests to virtiopackages.

Users of virtio-win are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.265. virt-manager

6.265.1. RHBA-2013:0451 — virt-manager bug fix and enhancement updateUpdated virt-manager packages that fix three bugs and add one enhancement are now available for RedHat Enterprise Linux 6.


417








Virtual Machine Manager (virt-manager) is a graphical tool for administering virtual machines for KVM,Xen, and QEMU. The virt-manager utility uses the libvirt API and can start, stop, add or removevirtualized devices, connect to a graphical or serial console, and view resource usage statistics forexisting virtualized guests on local or remote machines.

Bug Fixes

BZ#802639Previously, the live migration dialog box of the virt-manager tool incorrectly described the unit ofbandwidth as "Mbps" instead of "MB/s". With this update, the migration dialog has beenchanged to provide correct information on bandwidth units.

BZ#824 275Prior to this update, an unnecessary reboot occurred after the virt-manager tool created a newguest virtual machine by importing an existing disk image. With this update, a backportedupstream patch has been provided, and virt-manager no longer restarts after importing anexisting disk image.

BZ#872611Due to differences in dependency solving between the yum and rpm programs, the virt-managerpackage failed to update from "noarch" to newer architecture version. With this update, a patchhas been provided to mark the noarch version as obsolete. As a result, the noarch package cannow be updated without complications.

Enhancement

BZ#87894 6The "Delete Associated storage files" option is enabled by default in the virt-manager tool. Awarning message is displayed prior to file deletion to notify the user about this configuration.

All users of virt-manager are advised to upgrade to these updated packages, which fix these bugs andadd this enhancement.

6.266. virt-top

6.266.1. RHBA-2013:0391 — virt-top bug fix and enhancement updateUpdated virt-top packages that fix two bugs and add three enhancements are now available for Red HatEnterprise Linux 6.

The virt-top utility displays statistics of virtualized domains and uses many of the same keys andcommand-line options as the top utility.

Bug Fixes

BZ#807176Prior to this update, the "-o" (sort) option was not properly described in the output of the "virt-top --help" command. Four of the possible sort parameters were not mentioned in thedescription. This bug has been fixed and the full range of sort parameters is now shown in the


418





virt-top --help message.

BZ#834 208Previously, the column names of the virt-top summary table were not explained in the virt-topman page. The manual page has been updated, and the headings are now properlydocumented in the "COLUMN HEADINGS" section.

Enhancements

BZ#825627The copyright information has been updated in the virt-top man pages and help documents.

BZ#83554 7This update adds a separate man page for the processcsv.py script, which was previouslydocumented only in the virt-top man page.

BZ#84 1759With this update, the "virt-top -1" command has been enhanced to separately display the usageof virtual CPUs. Two numbers are now shown under each domain column; the first is thepercentage of the physical CPU used by the domain and the hypervisor together, the second isthe percentage used just by the domain. This information is important for performance tuningand other tasks.

All users of virt-top are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.267. virt-v2v

6.267.1. RHBA-2013:0477 — virt-v2v bug fix and enhancement updateUpdated virt-v2v packages that fix several bugs and add one enhancement are now available for RedHat Enterprise Linux 6.

The virt-v2v packages provide a tool for converting virtual machines to use the Kernel-based VirtualMachine (KVM) hypervisor or Red Hat Enterprise Virtualization. The tool modifies both the virtualmachine image and its associated libvirt metadata. Also, virt-v2v can configure a guest to use VirtIOdrivers if possible.

Bug Fixes

BZ#794 680The virt-v2v packages used to rename block devices in various guest configuration files duringconversion, including the /etc/fstab file. Consequently, the virt-v2v utility returned a redundantwarning message when a guest's /etc/fstab file referenced to the /etc/fd0 file as the blockdevice did not know it. To fix this bug, warning messages concerning floppy devices have beenexplicitly suppressed and virt-v2v no longer returns warning messages in this situation.

BZ#803629


419







When reading a libvirt guest, virt-v2v uses libvirt metadata to determine the on-disk format,considering only those of "dir", "fs", and "netfs" types as meaningful. If a guest used a differenttype of storage pool, virt-v2v interpreted these data as a format type, which was unable toconvert by libvirt guests. To address this bug, virt-v2v now only uses volume format metadatafrom storage pools of type "dir", "fs", and "netfs", but also all other storage pools can only holdraw data, so the format is assumed to be "raw". As a result, virt-v2v can now convert libvirtguests using any supported storage pool type.

BZ#838057When creating a new libvirt guest, virt-v2v failed to disable caching for disks as recommended.As a consequence, guests created by virt-v2v used caching for their disks, unless explicitlydisabled by the user after conversion. To address this bug, virt-v2v now explicitly disablescaching for all disks when creating a new libvirt guest, and guests created by virt-v2v now havecaching disabled for all disks. The user can enable it again if required after conversion.

BZ#8684 05Virt-v2v failed when attempting to perform an on-disk format conversion when reading a guestusing the libvirtxml input method. A patch has been provided to fix this bug and virt-v2v can nowperform format conversions on guests using libvirtxml.

Enhancement

BZ#68294 5With this update, virt-v2v can do an on-disk format conversion while converting a remote libvirtguest. Note that when doing this kind of format conversion, virt-v2v must make an intermediatecopy of the guest storage data on the conversion server. Other types of conversion do notrequire any intermediate storage on the conversion server. The user must ensure that theTMPDIR temporary directory has sufficient space for this intermediate copy.

Users of virt-v2v are advised to upgrade to these updated packages, which fix these bugs and add thisenhancement.

6.268. virt-viewer

6.268.1. RHBA-2013:0361 — virt-viewer bug fix and enhancement updateUpdated virt-viewer packages that fix several bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The virt-viewer packages provide Virtual Machine Viewer, which is a lightweight interface for interactingwith the graphical display of a virtualized guest. Virtual Machine Viewer uses libvirt and is intendedas a replacement for traditional VNC or SPICE clients.

Bug Fixes

BZ#814 150The remote-viewer and the virt-viewer tools, both use the same constant to print theirusage message. Consequently, when the user used an unknown command option with the remote-viewer command, the error message referred to the virt-viewer --help


420



command instead of the remote-viewer --help command. With this update, the remote-viewer and virt-viewer code has been modified so that the commands now return thecorrect error message when used with an unknown option.

BZ#822794When connected to a guest using the virt-viewer -v command and the console wasclosed, the command prompt was printed at the end of the last line instead of the new line. Thisupdate fixes this bug and the command prompt is printed correctly.

BZ#832121If the XML listen attribute contained a string consisting of the colon (“:”) and zero (“0”)characters, virt-viewer did not treat the string as a wildcard address and did not create anappropriate remote host address as expected. Consequently, an attempt to connect to a remotehost with such an address led to the connection failure. This update modifies the underlyingsource code to treat the aforementioned characters as wildcards and virt-viewer nowsuccessfully connects to a remote host in the described scenario.

BZ#854 318Due to changes in the latest upstream version of the spice-gtk packages, virt-viewerstopped working with the new spice-gtk module. With this update, the virt-viewer packageshave been rebuilt to work properly with this new version of spice-gtk.

BZ#856610Previously, the automatic window resize option did not work correctly with the remote-viewerclient. When disabling and then re-enabling the automatic window size, the resized window wassmaller then expected. This update provides a patch to fix this bug and the automatic windowresize option now works properly.

BZ#856678Within certain non-US keyboard layouts, keyboard shortcuts using the “Alt” key and anothercharacter worked even if they were disabled in a virtual machine. This update applies a patchthat fixes this bug and keyboard shortcuts are now disabled as expected.

BZ#864 929Previously, when the virt-viewer client was sized to the full screen, the virt-viewer sizeresolution could not be set to a higher resolution than the monitor's native resolution. With thisupdate, the user is now able to set a higher resolution than the monitor's native resolution.

BZ#86724 8When connecting to a SPICE guest and the user input an incorrect graphic password first, alater attempt to connect using the correct password was unsuccessful, and the virt-viewertool terminated unexpectedly. This update modifies the underlying code so that virt-viewerno longer crashes in the described scenario.

BZ#8674 59When connecting to the Red Hat Enterprise Virtualization portal and the remote-viewer


421








client was started from the XPI plug-in, the client terminated unexpectedly with a segmentationfault. This update modifies the underlying code and applies a patch to fix this bug so that remote-viewer now works as expected in this situation.

BZ#881020Previously, when using remote-viewer to display multiple screens of a virtual machine withmultiple physical displays, under certain circumstances, remote-viewer could display onlyone screen in single remote-viewer window and the other screens were disconnected. Withthis update, the underlying code has been modified so that all physical displays are nowproperly displayed in the respective remote-viewer windows.

Enhancements

BZ#828339This enhancement provides the new --title option which allows the user to specify a titledisplayed in the remote-viewer window title bar.

BZ#84 2305With this update, the virt-viewer tool supports the SpiceMonitorsConfig displaymessage.

BZ#865793The virt-viewer tool is now able to handle requests from the Red Hat EnterpriseVirtualization portal to enable or disable passing of the Ctrl+Alt+Delete key combination to theguest operating system.

BZ#875126Screenshots can be currently saved only in the PNG format. With this update, the “.png” suffix isautomatically added to the screenshot file name if is it missing.

All users of virt-viewer are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.269. virt-what

6.269.1. RHEA-2013:0483 — virt-what enhancement updateUpdated virt-what packages that add one enhancement are now available for Red Hat Enterprise Linux6.

The virt-what packages provide a command-line tool that is used to detect whether the operating systemis running inside a virtual machine.

Enhancement

BZ#8294 27This enhancement adds support for the Virtage hardware partitioning system to the virt-what


422






utility.

All users of virt-what are advised to upgrade to these updated packages, which add this enhancement.

6.270. virt-who

6.270.1. RHBA-2013:0374 — virt-who bug fix and enhancement updateUpdated virt-who packages that fix several bugs and add various enhancements are now available forRed Hat Enterprise Linux 6.

The virt-who packages provide an agent that collects information about virtual guests present in thesystem and reports them to the Red Hat Subscription Manager tool.

Bug Fixes

BZ#825215Previously, when running the virt-who service, unregistering a Red Hat Enterprise VirtualizationHypervisor host from the Subscription Asset Manager (SAM) server caused the service to beterminated with the following message:

SubscriptionManagerError: No such file or directoryError in communication with candlepin, trying to recoverUnable to read certificate, system is not registered or you are not root

Only the last line of the aforementioned message should have been displayed. This bug hasbeen fixed, and the traceback errors are now saved to the log file and not printed on the screen.

BZ#866890When a snapshot of a virtual machine (VM) was created in Microsoft Hyper-V Server, the virt-who agent replaced the UUID of the VM file with the UUID of the snapshot. This bug has beenfixed, and the UUID is not changed in the described case. Additionally, in certain cases, the virt-who agent running with the "--hyperv" command-line option terminated with the followingmessage:

AttributeError: HyperV instance has no attribute 'ping'

This bug has been fixed and the aforementioned error no longer occurs.

BZ#869960Previously, the virt-who agent failed to function correctly when a URL, which was set in theVIRTWHO_ESX_SERVER parameter, was missing the initial "https://" string. With this update,virt-who has been modified, and "https://" is no longer required in VIRTWHO_ESX_SERVER.

Enhancements

BZ#808060With this update, the virt-who agent has been modified to start as a foreground process and toprint error messages or debugging output (the "-d" command-line option) to the standard error


423






output. Moreover, the following command-line options have been enhanced: the "-o" optionprovides the one-shot mode and exits after sending the list of guests; the "-b" option and the"service virt-who start" command equivalently start on the background and send data to the/var/log/ directory.

BZ#84 6788The virt-who agent has been modified to support Red Hat Enterprise Virtualization Managerpolling.

BZ#860854With this update, the virt-who agent has been modified to correctly recognize guest virtualmachines, which are installed on top of Microsoft Hyper-V Server.

BZ#86814 9The virt-who manual pages and the output of the "virt-who --help" command have beenenhanced with clarifying information. In addition, a typographical error has been corrected inboth texts.

All users of virt-who are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.271. wdaemon

6.271.1. RHBA-2013:0293 — wdaemon bug fix and enhancement updateUpdated wdaemon packages that fix one bug and add one enhancement are now available for Red HatEnterprise Linux 6.

The wdaemon packages contain a daemon to wrap input driver hotplugging in the X.Org implementationof the X Window System server. The wdaemon packages emulate virtual input devices to avoidotherwise non-persistent configuration of Wacom tablets to persist across device removals.

Bug Fix

BZ#852332Due to the broken %postun scriptlet, an attempt to uninstall wdaemon caused an errormessage to appear. This error message also occurred during the wdaemon update becausethe old package is removed during the update. Consequently, the wdaemon service was notrestarted after the update. The %postun scriptlet has been fixed and wdaemon works asexpected in this situation.

Enhancement

BZ#838752This enhancement adds support for emulation of the Wacom Intuos5 tablet series.

All users of wdaemon are advised to upgrade to these updated packages which fix this bug and add this


424






enhancement.

6.272. wget

6.272.1. RHBA-2012:1353 — wget bug fix updateUpdated wget packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols.Wget provides various useful features, such as the ability to work in the background while the user islogged out, recursive retrieval of directories, file name wildcard matching or updating files in dependencyon file timestamp comparison.

Bug FixesBZ#754 168

Prior to this update, the wget package contained a redundant URL to the wget upstream project.This update modifies the specification file to list the correct http://www.gnu.org/software/wget/.

BZ#814 208Prior to this update, the wget utility did not previously work as intended with the "-T, --timeout"option set when http server did not answer the SSL handshake. Wget source code has beenpatched, to ensure that wget aborts the connection when using --timeout option correctly.

BZ#714 893Prior to this update, the wget utility source code was lacking check of the HTTP responseparsing function return value. In some cases, when HTTP response header was malformed(fuzzed), the parsing function returned error. Because the returned value was not checked, itthen resulted in Segmentation Fault. This update adds check of the HTTP response parsingfunction return value in the wget source code. Now when HTTP response header is malformed(fuzzed) and the parsing function returns error, the following error message is thrown and wgetretries the request:

2012-10-01 10:13:44 ERROR -1: Malformed status line.

All users of wget are advised to upgrade to these updated packages, which fix this bug.

6.273. wpa_supplicant

6.273.1. RHBA-2013:0431 — wpa_supplicant bug fix and enhancement updateUpdated wpa_supplicant packages that fix multiple bugs and add one enhancement are now availablefor Red Hat Enterprise Linux 6.

The wpa_supplicant packages contain a WPA (Wi-Fi Protected Access) Supplicant utility for Linux, BSD,and Windows with support for WPA and WPA2 (IEEE 802.11i/RSN). The supplicant is an IEEE802.1X/WPA component that is used in client workstations. It implements key negotiation with a WPAAuthenticator and it controls the roaming and IEEE 802.11 authentication and association of the WLANdriver.


425




Bug Fixes

BZ#813579When roaming from one Access Point (AP) to another and the connection was disrupted,NetworkManager did not always automatically reconnect. This update includes a number ofbackported upstream patches to improve Proactive Key Caching (PKC), also known asOpportunistic Key Caching (OKC). As a result, WPA connections now roam more reliably.

BZ#8374 02Previously, the supplicant would attempt to roam to slightly stronger access points, increasingthe chance of a disconnection. This bug has been fixed and the supplicant now only attempts toroam to a stronger access point when the current signal is significantly degraded.

Enhancement

BZ#672976The "wpa_gui" program was removed from "wpa_supplicant" in the 6.0 release as perBZ#553349, however, the man page was still being installed. This upgrade removes the manpage.

All users of wpa_supplicant are advised to upgrade to these updated packages, which fix these bugsand add this enhancement.

6.274. x3270

6.274.1. RHBA-2013:0383 — x3270 bug fix updateUpdated x3270 packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The x3270 packages provide an emulator for the IBM 3278 (monochrome) and 3279 (color) terminals.

Bug Fix

BZ#801139Prior to this update, the x3270 emulator failed to support the double-byte character set (DBCS).As a consequence, the character sets option for Japanese was disabled. This update modifiesthe underlying code to enable DBCS and adds the icu packages as a dependency. Now,Japanese character sets are again available.

All users of x3270 are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements.

6.275. xfsdump

6.275.1. RHBA-2013:0482 — xfsdump bug fix updateUpdated xfsdump packages that fix one bug are now available for Red Hat Enterprise Linux 6.


426



The xfsdump packages provide several utilities for managing XFS file systems, including xfsrestore andxfsdump.

Bug Fix

BZ#8604 54With Red Hat Enterprise Linux 6.4, XFS has been enhanced to allow the use of the 32-bitproject quota ID feature. However, the top 16 bits of a 32-bit project quota ID were not properlysaved and restored using the xfsdump and xfsrestore utilities. This caused the data to besaved and restored with an incorrect 16-bit project quota ID. With this update, the underlyingsource code has been fixed so that all 32 bits of the project quota ID are properly saved andrestored by xsfdump and xfsrestore.

All users of xfsdump are advised to upgrade to these updated packages, which fix this bug.

6.276. xfsprogs

6.276.1. RHBA-2013:0481 — xfsprogs bug fix and enhancement updateUpdated xfsprogs packages that fix three bugs and add one enhancement are now available for RedHat Enterprise Linux 6.

The xfsprogs packages contain a set of commands to use the XFS file system, including the mkfs.xfscommand to construct an XFS system.

Bug Fixes

BZ#7304 33When the manual geometry of the mkfs.xfs utility was specified for striping as well as calculatingof the allocation group counts and size, mkfs.xfs could emit confusing error messages onfailure. With this update, more standardized and informative error messages are returned.

BZ#8364 33When the sector size was not specified by the "-f" option, the mkfs.xfs utility used the 512 bytesector size by default even for drives with 4 Kb physical sectors. With this update, mkfs.xfscorrectly recognizes the sector size in the described scenario, which fixes this bug.

BZ#878859When attempting to set a 32-bit quota project ID on an XFS file system which did not have thisfeature enabled, the command returned success, but truncated the project ID to the lower 16bits. With this update, a project ID of more than 16 bits cannot be set unless the 32-bit projectID feature is enabled.

Enhancement

BZ#827186With this update, mkfs.xfs can enable 32-bit project quota IDs on a file system with the "-iprojid32bit=1" parameter specified. Without this parameter, mkfs.xfs defaults to 16-bit projectquota IDs. The 32-bit project quota IDs can be enabled on existing file systems by using the


427





"xfs_admin -p" command.

All users who use the XFS file system are advised to upgrade to these updated packages, which fixthese bugs and add this enhancement.

6.277. xinetd

6.277.1. RHSA-2013:0499 — Low: xinetd security and bug fix updateAn updated xinetd package that fixes one security issue and two bugs is now available for Red HatEnterprise Linux 6.


The xinetd package provides a secure replacement for inetd, the Internet services daemon. xinetdprovides access control for all services based on the address of the remote host and/or on time ofaccess, and can prevent denial-of-access attacks.

Security Fix

CVE-2012-0862When xinetd services are configured with the "TCPMUX" or "TCPMUXPLUS" type, and thetcpmux-server service is enabled, those services are accessible via port 1. It was found thatenabling the tcpmux-server service (it is disabled by default) allowed every xinetd service,including those that are not configured with the "TCPMUX" or "TCPMUXPLUS" type, to beaccessible via port 1. This could allow a remote attacker to bypass intended firewall restrictions.

Red Hat would like to thank Thomas Swan of FedEx for reporting this issue.

Bug Fixes

BZ#790036Prior to this update, a file descriptor array in the service.c source file was not handled asexpected. As a consequence, some of the descriptors remained open when xinetd was underheavy load. Additionally, the system log was filled with a large number of messages that took upa lot of disk space over time. This update modifies the xinetd code to handle the file descriptorscorrectly and messages no longer fill the system log.

BZ#809271Prior to this update, services were disabled permanently when their CPS limit was reached. Asa consequence, a failed bind operation could occur when xinetd attempted to restart theservice. This update adds additional logic that attempts to restart the service. Now, the serviceis only disabled if xinetd cannot restart the service after 30 attempts.

All users of xinetd are advised to upgrade to this updated package, which contains backported patchesto correct these issues.


428




6.278. X.Org Legacy Input Drivers

6.278.1. RHEA-2013:0295 — X.Org X11 legacy input drivers enhancement updateUpdated xorg-x11-drv-acecad, xorg-x11-drv-aiptek, xorg-x11-drv-hyperpen, xorg-x11-drv-elographics,xorg-x11-drv-fpit, xorg-x11-drv-mutouch, xorg-x11-drv-penmount, and xorg-x11-drv-void packages thatadd various enhancements are now available for Red Hat Enterprise Linux 6.

The xorg-x11-drv-keyboard and xorg-x11-drv-mouse packages contain the legacy X.Org X11 inputdrivers for keyboards and mice.

The xorg-x11-drv-acecad, xorg-x11-drv-aiptek, xorg-x11-drv-hyperpen, xorg-x11-drv-elographics, xorg-x11-drv-fpit, xorg-x11-drv-mutouch, xorg-x11-drv-penmount, and xorg-x11-drv-void packages contain theX.Org X11 input drivers for legacy devices.

The following packages have been upgraded to their respective upstream versions, which provide anumber of enhancements over the previous versions:


PACKAGE NAME UPSTREAM VERSION BZ NUMBER

xorg-x11-drv-acecad 1.5.0 835212

xorg-x11-drv-aiptek 1.4.1 835215

xorg-x11-drv-elographics 1.4.1 835222

xorg-x11-drv-fpit 1.4.0 835229

xorg-x11-drv-hyperpen 1.4.1 835233

xorg-x11-drv-keyboard 1.6.2 835237

xorg-x11-drv-mouse 1.8.1 835242

xorg-x11-drv-mutouch 1.3.0 835243

xorg-x11-drv-penmount 1.5.0 835248

xorg-x11-drv-void 1.4.0 835264

Users of X.Org X11 legacy input drivers are advised to upgrade to these updated packages, which addthese enhancements.

6.279. xorg-x11-drv-ati

6.279.1. RHBA-2013:0302 — xorg-x11-drv-ati bug fix and enhancement updateUpdated xorg-x11-drv-ati packages that fix multiple bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The xorg-x11-drv-ati packages provide a driver for ATI graphics cards for the X.Org implementation ofthe X Window System.


The xorg-x11-drv-ati packages have been upgraded to upstream version 6.99.99, which providesa number of bug fixes and enhancements over the previous version. (BZ#835218)


429













All users of xorg-x11-drv-ati are advised to upgrade to these updated packages, which fix these bugsand add these enhancements.

6.280. xorg-x11-drv-evdev

6.280.1. RHBA-2013:0297 — xorg-x11-drv-evdev bug fix and enhancement updateUpdated xorg-x11-drv-evdev packages that fix several bugs add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The xorg-x11-drv-evdev packages contain the X.Org X11 input drivers for keyboards and mice.


The xorg-x11-drv-evdev package has been upgraded to upstream version 2.7.3, which provides anumber of bug fixes and enhancements over the previous version. (BZ#835225)

All users of xorg-x11-drv-evdev are advised to upgrade to these updated packages, which fix thesebugs and add these enhancements.

6.281. xorg-x11-drv-intel

6.281.1. RHBA-2013:0303 — xorg-x11-drv-intel bug fix and enhancement updateUpdated xorg-x11-drv-intel packages that fix several bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The xorg-x11-drv-intel packages contain an Intel integrated graphics video driver for the X.Orgimplementation of the X Window System.


The xorg-x11-drv-intel packages have been upgraded to upstream version 2.20.2, which providesa number of bug fixes and enhancements over the previous version. (BZ#835236)

All users of xorg-x11-drv-intel are advised to upgrade to these updated packages, which fix these bugsand add this enhancement.

6.282. xorg-x11-drv-nouveau

6.282.1. RHBA-2013:0304 — xorg-x11-drv-nouveau bug fix and enhancementupdateUpdated xorg-x11-drv-nouveau packages that fix several bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The xorg-x11-drv-nouveau package provides the X.Org X11 noveau video driver for NVIDIA graphicschipsets.


430





The xorg-x11-drv-nouveau package has been upgraded to upstream version 1.0.1, whichprovides a number of bug fixes and enhancements over the previous version. (BZ#835245)

Users of xorg-x11-drv-nouveau are advised to upgrade to these updated packages, which fix thesebugs and add these enhancements.

6.283. xorg-x11-drv-qxl

6.283.1. RHBA-2013:0308 — xorg-x11-drv-qxl bug fix and enhancement updateUpdated xorg-x11-drv-qxl packages that fix multiple bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The xorg-x11-drv-qxl packages provide an X11 video driver for the QEMU QXL video accelerator. Thisdriver makes it possible to use Red Hat Enterprise Linux 6 as a guest operating system under the KVMkernel module and the QEMU multi-platform emulator, using the SPICE protocol.


The xorg-x11-drv-qxl packages have been upgraded to upstream version 0.1.0, which addssupport for multiple monitors and continuous resolution. It aslo provides a number of bug fixesand enhancements over the previous version. (BZ#835249, BZ#787160)

Bug Fixes

BZ#883578Due to overlapping memory areas, remote-viewer became unresponsive after a migration of aguest playing a video. This update adjusts the monitors_config pointer to fix this issue, andmigration of a guest, which is displaying video, works as expected.

BZ#896005This update disables "surfaces" by default due to a performance regression with the renderingsupport.

All users of xorg-x11-drv-qxl are advised to upgrade to these updated packages, which fix these bugsand add these enhancements.

6.284. xorg-x11-drv-synaptics

6.284.1. RHBA-2013:0298 — xorg-x11-drv-synaptics bug fix and enhancementupdateUpdated xorg-x11-drv-synaptics packages that fix several bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.


431







The xorg-x11-drv-synaptics packages contain the X.Org X11 input drivers for Synaptics touchpads.


The xorg-x11-drv-synaptics packages have been upgraded to upstream version 1.6.2, whichprovides a number of bug fixes and enhancements over the previous version. (BZ#835257)

Users of xorg-x11-drv-synaptics are advised to upgrade to these updated packages, which fix thesebugs and add these enhancements.

6.285. xorg-x11-drv-vmmouse

6.285.1. RHBA-2013:0300 — xorg-x11-drv-vmmouse bug fix and enhancementupdateUpdated xorg-x11-drv-vmmouse packages that fix several bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The xorg-x11-drv-vmmouse packages contain the X.Org X11 input drivers for the VMware vSphereHypervisor.


The xorg-x11-drv-vmmouse package has been upgraded to upstream version 12.9.0, whichprovides a number of bug fixes and enhancements over the previous version. (BZ#835262)

Users of xorg-x11-drv-vmmouse are advised to upgrade to these updated packages, which fix thesebugs and add these enhancements.

6.286. xorg-x11-drv-wacom

6.286.1. RHBA-2013:0296 — xorg-x11-drv-wacom bug fix and enhancementupdateUpdated xorg-x11-drv-wacom packages that fix several bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The xorg-x11-drv-wacom packages contain the X.Org X11 input drivers for Wacom graphics tablets.


The xorg-x11-drv-wacom package has been upgraded to upstream version 0.16.1, whichprovides a number of bug fixes and enhancements over the previous version. (BZ#835266)

Bug Fixes

BZ#859851Due to a bug in the input driver, covering the Expresskeys on the Wacom Intuos5 graphics


432



tablet caused a spurious stylus jump to the upper left corner (0,0). This bug has been fixed andthe described issue no longer occurs.

BZ#862939Previously, the xorg.conf configuration file with two devices containing the same input nodecaused a double free error and subsequent failure of the X server. With this update, xorg.confhas been fixed, and the server crash is now prevented.

Enhancements

BZ#838751With this update, support for the Wacom Intuos5 series graphics tablets has been added to thexorg-x11-drv-wacom package.

BZ#857088With this update, support for the Wacom Cintiq 22HD series graphics tablets has been addedto the xorg-x11-drv-wacom package.

All users of xorg-x11-drv-wacom are advised to upgrade to these updated packages, which fix thesebugs and add these enhancements.

6.287. xorg-x11-server

6.287.1. RHBA-2013:0299 — xorg-x11-server bug fix and enhancement updateUpdated xorg-x11-server packages that fix several bugs and add various enhancements are nowavailable for Red Hat Enterprise Linux 6.

The xorg-x11-server packages provide the X.Org sample implementation of a server for the X WindowSystem and the rendering services necessary for graphical user environments, such as GNOME andKDE.


Updated xorg-x11-server packages that fix several bugs are now available for Red HatEnterprise Linux 6.The xorg-x11-server packages have been upgraded to upstream version 1.13.0, which providesa number of bug fixes and enhancements over the previous version. (BZ#833212)

Bug Fixes

BZ#608076When the GNOME sound volume applet was configured to pop up after pressing the "mute","volume up", or "volume down" hardware buttons, doing so caused a graphical glitch to appearin a dual monitor configuration. Now, the screen glitch no longer appears.

BZ#74 5033


433






When spice-client was opened in full-screen mode, the client screen contained a static imagewhich was not refreshed until it was switched back to window mode. Now, the static image nolonger appears when opened in full-screen mode.

BZ#81634 7When the screen saver started to fade, pressing keys did not interrupt the fade and did notimmediately display the unlock screen. Now, pressing keys stops the screen from fading.

BZ#829321A NULL pointer dereference caused X.Org to terminate unexpectedly with a segmentation faulton certain servers. The error is fixed and X.Org no longer crashes on those servers.

BZ#837073An invalid pointer dereference in the server caused the server to unexpectedly terminate with asegmentation fault when the mouse was moved over the VNC window. Crashes no longer occurwhen moving the mouse over the VNC window.

BZ#853236The KVM process could not access the X server because the "/usr/bin/Xorg" binary wasunreadable for non-root users. Now, all users can read the binary and KVM guests can accesshost operating systems.

BZ#858005A transformation matrix is used to bind a device to a specific area on the screen. Anuninitialized device transformation matrix caused the pointer to jump to the top-left corner of thescreen on some devices. With this update, the transformation matrix is properly initialized andpointer device movement works as expected.

BZ#863913An X Input Extension (XI 1.x) grab on a disabled device led to a NULL pointer dereference errorwhich caused the server to terminate unexpectedly. Currently, the XI 1.x grab functions normallyand the X server no longer crashes.

BZ#864 054When screens are reconfigured, the server updates some internal fields to adjust input devicecoordinate scaling if the device is bound to a specific screen. The NVIDIA binary driver did nothave access to these internal methods, and was not able to update these fields when itchanged output configurations. A new API is now exported for the driver and the NVIDIA driveris now able to update the server-internal fields.

BZ#868054Pointer screen crossings for non-Xinerama setups caused the mouse pointer to wrap aroundon the first screen instead of moving to the second screen. Now, the mouse pointer can movebetween both screens on non-Xinerama setups.

BZ#883206


434






Running xrestop on servers that used Intel, ATI or Nouveau drivers caused the server toterminate unexpectedly with a segmentation fault. Now, users are able to run xrestop on thoseservers without crashes.

Users of xorg-x11-server are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.288. xorg-x11

6.288.1. RHEA-2013:0301 — xorg-x11 drivers enhancement updateUpdated xorg-x11 drivers packages that add numerous enhancements are now available for Red HatEnterprise Linux 6.

The xorg-x11 drivers packages allow the OS installation software to install all drivers all at once, withouthaving to track which individual drivers are present on each architecture. By installing these packages, itforces all of the individual driver packages to be installed.

The following xorg-x11 drivers packages have been upgraded to their upstream versions to updateseveral legacy GPU drivers:


435


Table 6.4 . Upgraded packages


xorg-x11-drv-apm 1.2.5 835216

xorg-x11-drv-ast 0.97.0 835217

xorg-x11-drv-cirrus 1.5.1 835219

xorg-x11-drv-dummy 0.3.6 835220

xorg-x11-drv-fbdev 0.4.3 835228

xorg-x11-drv-geode 2.11.13 835230

xorg-x11-drv-glint 1.2.8 835231

xorg-x11-drv-i128 1.3.6 835234

xorg-x11-drv-i740 1.3.4 835235

xorg-x11-drv-mach64 6.9.3 835239

xorg-x11-drv-mga 1.6.1 835240

xorg-x11-drv-neomagic 1.2.7 835244

xorg-x11-drv-nv 2.1.20 835246

xorg-x11-drv-openchrome 0.3.0 835247

xorg-x11-drv-r128 6.9.1 835250

xorg-x11-drv-rendition 4.2.5 835251

xorg-x11-drv-s3virge 1.10.6 835252

xorg-x11-drv-savage 2.3.6 835253

xorg-x11-drv-siliconmotion 1.7.7 835254

xorg-x11-drv-sis 0.10.7 835255

xorg-x11-drv-sisusb 0.9.6 835256

xorg-x11-drv-tdfx 1.4.5 835258

xorg-x11-drv-v4l 0.2.0 835260

xorg-x11-drv-trident 1.3.6 835259

xorg-x11-drv-vesa 2.3.2 835261

xorg-x11-drv-vmware 12.0.2 835263

xorg-x11-drv-voodoo 1.2.5 835265

xorg-x11-drv-xgi 1.6.0 835267

xorg-x11-drivers 7.3 835285

Users of xorg-x11-drv are advised to upgrade to these updated packages, which add variousenhancements.

6.289. xorg-x11-xkb-utils

6.289.1. RHBA-2013:0305 — xorg-x11-xkb-utils bug fix and enhancement updateUpdated xorg-x11-xkb-utils packages that fix several bugs and add various enhancements are nowavailable.

The x11-xkb-utils packages provide a set of client-side utilities for XKB, the X11 keyboard extension.


436
































The x11-xkb-utils packages have been upgraded to upstream version 7.7, which provides anumber of bug fixes and enhancements over the previous version. (BZ#835282, BZ#872057)

All users of x11-xkb-utils are advised to upgrade to these updated packages, which fix these bugs andadd these enhancements.

6.290. yaboot

6.290.1. RHBA-2013:0476 — yaboot bug fix and enhancement updateUpdated yaboot packages that fix one bug and add one enhancement are now available for Red HatEnterprise Linux 6.

The yaboot packages provide a boot loader for Open Firmware based PowerPC systems. Yaboot can beused to boot IBM eServer System p machines.

Bug Fix

BZ#871579Prior to this update, the yaboot loader used by default a maximum block size of 512 bytes in thefdisk partition table. As a consequence, yaboot could not load a kernel in a disk that wasformatted using 4 kilobytes partitions. This update extends the MAX_BLOCK_SIZE value to 4kilobytes to allow for disks that use the advanced format.

Enhancement

BZ#822657This update adds VLAN Tag support for network boot and installation to allow multiple VLANs ina bridged network to share the same physical network link but maintain isolation.

All users of yaboot are advised to upgrade to these updated packages, which fix this bug and add thisenhancement.

6.291. ypbind

6.291.1. RHBA-2013:0426 — ypbind bug fix updateUpdated ypbind packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The ypbind packages provide the ypbind daemon to bind NIS clients to an NIS domain. The ypbinddaemon must be running on any machines that run NIS client programs.

Bug Fix

BZ#64 74 95Prior to this update, ypbind started too late in the boot sequence, which caused problems insome environments, where it needed to be started before netfs. This update changes the


437






priority of the ypbind service. Now, ypbind starts as expected.

All users of ypbind are advised to upgrade to these updated packages, which fix this bug.

6.292. ypserv

6.292.1. RHBA-2013:0330 — ypserv bug fix updateUpdated ypserv packages that fix four bugs are now available for Red Hat Enterprise Linux 6.

The ypserv packages provide the Network Information Service (NIS) server. NIS is a system thatprovides network information such as login names, passwords, home directories, and group informationto all the machines on a network.

Bug Fixes

BZ#790812Prior to this update, the NIS server was returning "0" (YP_FALSE) instead of "-1" (YP_NOMAP)after a request for a database not present in the server's domain. This behavior caused theautofs mount attempts to fail on Solaris clients. With this update, the return value has been fixedand the autofs mounts no longer fail on Solaris clients.

BZ#816981Previously, when the crypt() function returned NULL, the yppasswd utility did not properlyrecognize the return value. This bug has been fixed, and the NULL return values of crypt() arenow recognized and reported correctly by yppaswd.

BZ#84 5283Previously, the ypserv utility allocated large amounts of virtual memory when parsing XDRrequests, but failed to free that memory in case the request was not parsed successfully.Consequently, memory leaks occurred. With this update, a patch has been provided to free thealready allocated memory when parsing of a request fails. As a result, the memory leaks nolonger occur.

BZ#863952Previously, the yppush(8) man page did not describe how to change settings of the yppushutility. The manual page has been amended to specify that the settings can be changed in the/var/yp/Makefile file.

All users of ypserv are advised to upgrade to these updated packages, which fix these bugs.

6.293. yum-rhn-plugin

6.293.1. RHBA-2013:0389 — yum-rhn-plugin bug fix updateUpdated yum-rhn-plugin packages that fix several bugs are now available for Red Hat Enterprise Linux6.


438





The yum-rhn-plugin packages make it possible to receive content from Red Hat Network in yum.

Bug Fixes

BZ#789092Previously, yum-rhn-plugin ignored the timeout value set for yum. In some scenarios with slownetworking, this could cause yum to timeout when communicating with Red Hat Network. Now,yum-rhnplugin abides by the timeout set for all yum repositories.

BZ#802636Previously, the check-update utility could in certain cases incorrectly return a 0 error code if anerror occurred. With this update, "1" is returned if an error occurs.

BZ#824 193Prior to this update, applying automatic updates with the yum-rhn-plugin utility on Red HatEnterprise Linux 6 system could fail with an "empty transaction" error message. This wasbecause the cached version of yum-rhn-plugin metadata was not up-to-date. With this update,yum-rhn-plugin downloads new metadata if available, ensuring that all packages are availablefor download.

BZ#830219Previously, the messaging in yum-rhn-plugin was specific only to Red Hat Network Classicscenarios. This update clarifies what source yum-rhn-plugin is receiving updates from toreduce confusion.

BZ#831234Prior to this update, yum-rhn-plugin did not correctly try the alternate server URLs provided ifthe first option failed. This update ensures that fail-over situations are handled correctly.

All users of yum-rhn-plugin are advised to upgrade to these updated packages which fix these bugs.

6.294. yum

6.294.1. RHBA-2013:0406 — yum bug fix and enhancement updateUpdated yum packages that fix several bugs and add two enhancements are now available for Red HatEnterprise Linux 6.

Yum is a command-line utility that allows the user to check for updates and automatically download andinstall updated RPM packages. Yum automatically obtains and downloads dependencies, prompting theuser for permission as necessary.

Bug Fixes

BZ#674 756When running the yum localinstall command, various requires, obsoletes, and conflictssituations were not handled properly and resulted in inconsistent package installations usingdifferent Yum commands. The underlying source code has been modified and Yum resolves allthe aforementioned situations properly.


439




BZ#727553When trying to execute the yum update --skip-broken command on the command line, thepackage dependency resolution never ended. This bug is now fixed and dependencies areresolved successfully after executing the yum update --skip-broken command.

BZ#8024 62After creating a new yum history file, the yum history stats command failed with atraceback instead of reporting an actual error. This bug is now fixed and when the yum history stats command fails after creating a new yum history file, it displays an errormessage.

BZ#815568Previously, when running the yum makecache command, followed by the yum -C updateinfo command, the second command failed to execute because although theupdateinfo file had been downloaded by yum makecache it was uncompressed and treatedas unavailable by yum -C updateinfo. This bug is now fixed and yum -C updateinfoworks as expected in this scenario.

BZ#834 159Previously, when trying to install an obsoleted package from a repository, Yum reportedNothing to do instead of providing an "obsolete" error message. This bug is now fixed andYum now correctly warns users about obsolete packages.

BZ#84 054 3Previously, when the yum upgrade command failed to execute, Yum displayed a misleadingProtected multilib versions error message instead of the accurate one. This bug is now fixedand if Yum fails, it displays the correct error message.

BZ#872518When Yum was executed by a regular user, Yum downloaded metadata even if the "root"metadata were up-to-date. This bug is now fixed and Yum does not download unnecessarydata if the "root" metadata are up-to-date.

BZ#809117A typo in the yum(8) man page has been fixed.

BZ#878335After a rebase update of the createrepo utility, execution of the createrepo --updatecommand took significantly longer. This update reduces the time for executing the createrepo --update command.

BZ#737173Previously, when the yum updateinfo command, provided by the yum-security plug-in, wasused, Yum did not merge the version information from multiple repositories. This could preventthe latest version of a package that was present in multiple repositories to not be installed.


440







Now, when installing packages from multiple repositories, Yum installs only the latest packagesavailable.

BZ#819522Previously, when trying to reinstall an unavailable package and the execution failed, the exitcode had the value of 0. This bug is now fixed and when reinstallation of an unavailablepackage fails, it returns an exit code with the value of 1.

BZ#820674Previously, when the yum-debug-restore command was used to restore multiple installonlypackages, Yum tried to keep a limit of packages that were installed simultaneously andremoved packages that were present in the system. Also, Yum restored multiple packages butassumed that just one would be installed. Yum's installonly_limit configuration nowdetermines what to install and remove correctly when multiple items are installed at once. Thisis most noticeable when using commands like yum shell and yum-debug-restore.

BZ#85884 4When using the yum.yumBase().update() function to specify a package name, version,and/or release of a certain package, the function terminated and failed to update theaforementioned variables. This bug is now fixed and the yum.yumBase().update() functioncan be used successfully to specify a package name, version, and release.

BZ#86884 0Previously, when trying to resolve dependencies while updating packages that haddependencies, Yum entered a loop and no packages were installed after execution of the yum update command. After this update, the yum update command now handles packages withobsoleting dependencies as expected.

BZ#880968Due to an incorrect prioritization of actions performed by Yum after entering a command with asyntactically incorrect subcommand, Yum performed a series of unnecessary actions beforeacknowledging the typo. This bug has been fixed and Yum performs an immediate syntaxcheck in the described scenario.

BZ#887935When updateinfo.xml was generated via the update_md.UpdateNotice() method, the yum APIonly accounted for the "issued date" element and ignored the updated date element. Now, theyum API accounts for the "updated date" element and the "updated date" element is displayedin the XML file.

BZ#885159Previously, users were not notified that different certificate files with the same basename weretreated as identical, which could lead to various problems. With this update, Yum checkscertificate files for such duplicates and displays an error message appropriately.

Enhancements


441







BZ#684 859Yum plug-ins are now able to set exit codes on any Yum operations.

BZ#74 4 335With this update, yum-cron is now documented in the yum-cron(8) man page.

BZ#74 8054Support for the installonlypkgs functionality in rhev-hypervisor packages has been added.

Users of yum are advised to upgrade to these updated packages, which fix these bugs and add theseenhancements.

6.295. zlib

6.295.1. RHBA-2013:0398 — zlib bug fix and enhancement updateUpdated zlib packages that fix one bug and add one enhancement are now available for Red HatEnterprise Linux 6.

The zlib packages provide a general-purpose lossless data compression library that is used by manydifferent programs.

Bug Fix

BZ#754 694Due to missing information about the zlib version, some applications using zlib could not workproperly. The zlib.map version script, which provides version information, has been added tothe underlying source code and zlib now works as expected.

Enhancement

BZ#823007This enhancement optimizes the zlib compression library for IBM System z.

All users of zlib are advised to upgrade to these updated packages, which fix this bug and add thisenhancement.


442





Revision HistoryRevision 1-1.24 Wed Aug 28 2013 Miroslav Svoboda

Republished to include Section 6.103.1, “ RHSA-2013:1173 — Important: kernel security and bug fixupdate ”.

Revision 1-1.22 Tue Jul 23 2013 Miroslav SvobodaRepublished to include Section 6.103.2, “ RHSA-2013:1051 — Moderate: kernel security and bug fixupdate ”.

Revision 1-1.21 Tue Jun 25 2013 Eliška SlobodováRepublished to include a samba4 known issue.

Revision 1-1.20 Tue Jun 11 2013 Miroslav SvobodaRepublished to include Section 6.103.3, “ RHSA-2013:0911 — Important: kernel security, bug fix andenhancement update ”.

Revision 1-1.17 Fri May 24 2013 Eliška SlobodováRemoved the numad package from Technology Previews as it is now fully supported.

Revision 1-1.15 Fri Apr 26 2013 Eliška SlobodováRepublished the book to include a known issue.

Revision 1-1.13 Fri Mar 22 2013 Miroslav SvobodaRepublished to include Section 6.103.4, “ RHSA-2013:0744 — Important: kernel security and bug fixupdate ”.

Revision 1-1.11 Fri Mar 22 2013 Martin PrpičRepublished to include Section 6.128.1, “ RHBA-2013:0664 — libvirt bug fix and enhancement update ”.

Revision 1-1.10 Tue Mar 12 2013 Eliška SlobodováRepublished the book to include the RHSA-2013:0630 kernel advisory and a new known issue,BZ#918647.

Revision 1-1.2 Mon Feb 25 2013 Martin PrpičFixed incorrect lpfc driver version: BZ#915284.

Revision 1-1.1 Thu Feb 21 2013 Eliška SlobodováRelease of the Red Hat Enterprise Linux 6.4 Technical Notes.

Revision History

443



Date post:	27-Oct-2015
Category:	Documents
Upload:	nivla-ol
View:	948 times
Download:	2 times

Red Hat Enterprise Linux-6-6.4 Technical Notes-En-US

Documents